# Latest (v9)
{% hint style="danger" %}
\*\***IMPORTANT\*\***
* **Please upgrade your Linked Account Roles to v1.14.001 or later BEFORE upgrading your console/agent to v9.**\
If you do not upgrade your Linked Account Roles then you could experience problems when using EventBridge. [Click here](https://help.cloudstoragesec.com/product-upgrades#linked-account-role-updates) to learn more about Linked Account Updates.
* **Please upgrade your console/agent to the** [**latest current version**](https://help.cloudstoragesec.com/trouble-shooting/error-when-upgrading-to-the-latest-major-version) **you're currently on before you can upgrade to the next major version.**\
For example, if you are on v8, you'll need to upgrade v8.08.002, then upgrade to v9.
{% endhint %}
## March 2026 - Console: v9.08.001, Agent: v9.08.001
In this release:
**Various Improvements and Bug Fixes**
* New Proactive Notification: AsyncAPIScanError
* Notification sent if Async API scans are initiated on nonexistent files
{% hint style="info" %}
**v9.08.001 Cloud Formation Template**
[v9.08.001](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.08.001.yaml)
{% endhint %}
## March 2026 - Console: v9.08.000, Agent: v9.08.000
In this release:
**AWS Organizations Support**
* AWS Organizations can be used to automatically provision Linked Accounts
* Deploy alongside StackSet for account discovery and setup
* Access feature in Access Management > Manage Accounts > Link Account
**Storage Gateway Support**
* CSS Application can consume Storage Gateway notifications
* Refer to [Storage Gateway Configuration](https://help.cloudstoragesec.com/how-it-works/object-scanning/event-driven-scanning#storage-gateway-configuration) for setup instructions
**Large File Scan instance size settings**
* 'EC2\_INSTANCE\_TYPE\_OVERRIDE' environment variable option added to Console Task Definition
* Set environment variable to EC2 Instance Type (e.g. 't3.large') for Large File Scan configuration
**Various Improvements and Bug Fixes**
* Host-Header values are no longer utilized in the application
* API-Only users are restricted from using Console API calls
* Sophos engine updated to v3.97
* Improved job handling and object cleanup for Scan Existing functionality
* Fixed a bug with the Proxy for All AWS Services feature
* Fixed a bug affecting NTFS EBS scans for Data Classification
* UI Improvements and Fixes
{% hint style="info" %}
**v9.08.000 Cloud Formation Template**
[v9.08.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.08.000.yaml)
{% endhint %}
## January 2026 - Console: v9.07.000, Agent: v9.07.000
In this release:
**Updating azure-core to 1.38.0**
* Updated azure-core (pip) to v1.38.0 to avoid a deserialization vulnerability
**Various Improvements and Bug Fixes**
* Fixed an issue affecting Retro scans in GCP
* Improved Azure logging
{% hint style="info" %}
**v9.07.000 Cloud Formation Template**
[v9.07.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.07.000.yaml)
{% endhint %}
## January 2026 - Console: v9.06.000, Agent: v9.06.000
In this release:
**Two-Bucket Prefix transfer option**
* For the Console two-bucket system, Retro and Scheduled scans now provide the option to include prefixes when moving Clean files to a destination bucket
* Toggle OFF will append the prefix of the object to the destination prefix
* Toggle ON will only move object name to the destination prefix
* Toggle feature in the Retro or Scheduled Scan menus
**Two-Bucket Cross-region transfers**
* Console-set Two-Bucket feature supports cross-region bucket transfers. Configure Two-Bucket system in Configuration > Scan Settings
**Various Improvements and Bug Fixes**
* Bucket auto-protection tag feature applies EventBridge protection to S3 buckets if an 'All object create events' Event Notification already exists
* Fixed a Terraform bug affecting EBS scanning in linked accounts
* Large File Scan jobs kicked off by the API Agent create jobs in the file region instead of the API Agent region
{% hint style="info" %}
**v9.06.000 Cloud Formation Template**
[v9.06.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.06.000.yaml)
{% endhint %}
## December 2025 - Console: v9.05.001, Agent: v9.05.001
In this release:
**Various Improvements and Bug Fixes**
**API Agent can track HTTP requests**
* After the API Agent has deployed, modify the Task Definition and add a new key of 'ENABLE\_HTTP\_LOGGING' with a value of 'true'
* Monitor the ECS.{appid}.API log group for incoming HTTP messages
**Proxy setting can be set to process all outbound traffic**
* In the CloudFormation settings, set 'Use Proxy For All Requests' to 'Yes'
* For more information on private deployments, consult
{% hint style="info" %}
**v9.05.001 Cloud Formation Template**
[v9.05.001](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.05.001.yaml)
{% endhint %}
## December 2025 - Console: v9.05.000, Agent: v9.05.000
In this release:
**Terraform now supports CMK encryption for CSS-created S3 Buckets**
* Automatically applies on Application buckets and new Quarantine buckets
* Utilize the 'use\_s3\_cmk\_arn' parameter to enable this feature
* Link to Terraform registry here:
**API Agent requests now support Transfer-Encoding header**
**Improved scan times for Azure event-based scanning**
* Improving file scan time consistency for similar-size files
**Uploaded-By and Virus-Name tags now returned to Infected Object tags**
* Uploaded-By tag lists the entity that uploaded the infected file
* Virus-Name tag lists discovered virus type
**Various Improvements and Bug Fixes**
* KubernetesClient has been updated to 17.0.14
* NuGet dependencies have been upgraded
* Automatic Scanning Protection menu UI has been removed for DC, as it is an AV-only feature
* Fixed an issue where EC2 EBS Scans would fail to provision
* Fixed a bug where EC2 DC-based scans were occasionally failing on partitioned EBS Volumes
* UI Improvements and Fixes
{% hint style="info" %}
**v9.05.000 Cloud Formation Template**
[v9.05.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.05.000.yaml)
{% endhint %}
## November 2025 - Console: v9.04.000, Agent: v9.04.000
In this release:
**API Scan and Upload endpoint now uploads with tags and metadata**
* API Agent can now upload Clean files with tags and metadata upon request
* Use headers for binary uploads and form fields for multipart form uploads
* Read more at the [API Driven Scanning page](https://help.cloudstoragesec.com/how-it-works/object-scanning/api-driven-scanning#api-scan)
**Cognito Rate Limiting Error Added**
* Updated API Request response to return 429 HTTP response when Token hits Cognito rate limit error
**Sophos Engine Update**
* Sophos engine updated to v3.96.1
**CSS Premium SDK Update**
* CSS Premium SDK updated to 3.10.1.346
**Various Improvements and Bug Fixes**
* Updated System.Text.RegularExpressions (NuGet) to v4.3.1 to avoid a Denial of Service vulnerability
* When AllowAccessToAllKmsKeys is set to 'No', Console permissions are limited to remove KMS access
* Fixed a bug affecting License mode switches between PayG and BYOL
* Fixed a bug causing discrepancies in the Storage Breakdown and Summary section in the AV Results page
* UI Improvements and Fixes
{% hint style="info" %}
**v9.04.000 Cloud Formation Template**
[v9.04.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.04.000.yaml)
{% endhint %}
## October 2025 - Console: v9.03.002, Agent: v9.03.002
In this release:
**Scan Results for Async API Scans Include Reference IDs**
* The Agent.ScanResults log group now includes ReferenceIDs for /api/ScanAsync/\* class calls. Utilize the GET /api/ScanAsync call with the Reference ID to return a scan verdict
{% hint style="info" %}
**v9.03.002 Cloud Formation Template**
[v9.03.002](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.03.002.yaml)
{% endhint %}
## October 2025 - Console: v9.03.001, Agent: v9.03.001
In this release:
**Various Improvements and Bug Fixes**
* Fixed a bug affecting the Multi-Engine File Size Scanning mode
* UI improvements and fixes
{% hint style="info" %}
**v9.03.001 Cloud Formation Template**
[v9.03.001](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.03.001.yaml)
{% endhint %}
## October 2025 - Console: v9.03.000, Agent: v9.03.000
In this release:
**API – Asynchronous Scanning Invocations**
We've added support for asynchronous API scanning.
* Enable the feature in API Agent Settings > Enable Asynchronous Scanning
* POST /api/ScanAsync/Existing takes an S3 object path returns a referenceId to retrieve the job status and verdict
* POST /api/ScanAsync takes an object returns a referenceId to retrieve the job status and verdict
* POST /api/ScanAsync/url takes a URL and returns a reference Id to retrieve the job status and verdict
* POST /api/ScanAsync/Cancel takes a referenceId to cancel the job
* GET /api/ScanAsync takes a referenceId and retrieves the job status and verdict
**EKS Support for Antivirus**
* Added support for running the antivirus on Amazon EKS. Enable this feature in the CloudFormation template under Deployment Type
**CMK For CSS Application Buckets**
* Added parameter in CFT to use CMK on CSS application buckets
**Sophos Engine Update**
* Updated the Sophos engine to **v3.95.1**.
**Various Improvements and Bug Fixes**
* Automatic Scanning Protection menu is now turned off by default and enabled via Configuration > Console Settings > Automatic Scanning Configuration
* Improved handling in GCP for projects missing the Service Account API. If the Storage API is absent, it is now added automatically.
* Enabled **“Drop invalid header fields”** by default on the API load balancer.
* Reduced recovery time for CSS Secure when engine errors occur.
* Fixed a bug affecting EBS Retro Scan Jobs
* Fixed an error when deleting the application using the **Delete Application** button.
* Fixed an issue with cancellation tokens when a task shuts down.
* Fixed an unexpected error when loading job details for classification jobs.
* Fixed an upgrade issue in GovCloud when using the Console UI on the latest versions.
* UI Improvements and Fixes
{% hint style="info" %}
**v9.03.000 Cloud Formation Template**
[v9.03.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.03.000.yaml)
{% endhint %}
## September 2025 - Console: v9.02.001, Agent: v9.02.001
In this release:
* Added the ability to change the CPU and memory for large file scanning jobs by setting the following environment variables in the console task:
* JOB\_CPU\_OVERRIDE
* JOB\_MEMORY\_OVERRIDE
* Fixed a bug in the console service that caused an excessive number of requests to DynamoDB.
* Improved the accuracy of data on the Summary, Dashboard, and Storage Breakdown pages.
{% hint style="info" %}
**v9.02.001 Cloud Formation Template**
[v9.02.001](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.02.001.yaml)
{% endhint %}
## August 2025 - Console: v9.02.000, Agent: v9.02.000
In this release:
**GCP Event-Based Scanning**
* Event-Based scanning for GCP is now available, scan files in real-time as they enter GCP Buckets
* Enable in Malware Scanning > GCP
**License Management UI Updates**
* When the account is low on data in BYOL Mode, users will receive a new Prepaid Data Details page explaining the logic behind prepaid data
**New Console APIs**
We've added 4 new Console APIs.
The 3 new Monitoring APIs closely match our 'See What's Infected' > 'AV Results' page in the Console
* GET Monitoring/Results/Summary returns information on data scanned, total size, and number of objects for each time for the time-frame requested
* GET Monitoring/Results/Account returns information on data scanned, total size, and number of objects for each account
* GET Monitoring/Results/Container returns information on data scanned, total size, and number of objects for each container
The new Proactive Notification API affects existing Proactive Notifications.
* PATCH ProactiveNotifications/{subscriptionid} allows modification of an existing Proactive Notification
**Azure Improvements**
* Azure Linked Accounts can now be deployed with Terraform. Please consult our [Linking an Azure Account](https://help.cloudstoragesec.com/console-overview/access-management/linked-accounts/linking-an-azure-account#deploying-via-terraform) page for more details
* Blobs moved into Azure quarantine are now tagged with their respective attributes (Quarantine, Error, Unscannable)
* Fixed a bug in Azure where the Console was unable to retrieve private network access Storage Containers
* Fixed a bug where the CSS Bicep Template was occasionally failing to deploy
**Sophos Engine Update**
* Sophos engine updated to v3.95.0
**Restricted Bucket UI Improvement**
* Buckets that cannot be accessed due to our Restrict Bucket Access by Prefixes feature will be marked with a yellow  symbol
**Various Improvements and Bug Fixes**
* Reduced ClamAV engine timeout threshold from 5 to 2 minutes
* API Scan Existing file volume is now added to the Storage Breakdown table
* GCP Buckets now properly show as conflicted if protected by another Console
* GCP Buckets that are created by the Terraform Linked Account template do not show up in the Console
* Improved the response time of unresponsive API Agent replacement
* Extended the credential timeout of cross-account Large File Scans
* Fixed a bug where MFA was failing to disable
* Fixed a bug affecting Large File Scan tagging in cross-account scanning
* Fixed a bug affecting Data Classification scanning
* Fixed a bug affecting quarantine buckets when limiting general bucket access
* UI Improvements and Fixes
{% hint style="info" %}
**v9.02.000 Cloud Formation Template**
[v9.02.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.02.000.yaml)
{% endhint %}
## July 2025 - Console: v9.01.003, Agent: v9.01.003
In this release:
* Fixed a bug where Azure linked accounts were occasionally unable to ingest some Storage Accounts for protection.
{% hint style="info" %}
**v9.01.003 Cloud Formation Template**
[v9.01.003](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.01.003.yaml)
{% endhint %}
## July 2025 - Console: v9.01.002, Agent: v9.01.002
In this release:
* Added additional coverage for the bug affecting Cognito's JWT upon user login to the Console.
{% hint style="info" %}
**v9.01.002 Cloud Formation Template**
[v9.01.002](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.01.002.yaml)
{% endhint %}
## July 2025 - Console: v9.01.001, Agent: v9.01.001
In this release:
* Fixed a bug affecting Cognito's JWT upon user login to the Console.
{% hint style="info" %}
**v9.01.001 Cloud Formation Template**
[v9.01.001](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.01.001.yaml)
{% endhint %}
## June 2025 - Console: v9.01.000, Agent: v9.01.000
In this release:
**New Console APIs**
We've added 3 new Console APIs to manage Proactive Notifications.
* GET API ProactiveNotifications retrieves all existing Proactive Notifications
* POST API ProactiveNotifications creates a new Proactive Notification
* GET API ProactiveNotifications/{subscriptionId} retrieves information about an existing Proactive Notification
**Enable EBS Encryption**
* When enabled, all new EBS volumes will be created with encryption.
* Enable feature in Configuration > Scan Settings > Enable EBS Encryption
**Event Agent Stall Protection**
* The application now detects and restarts stalled Event Agents if they are unresponsive
* This process can take around 20-30 minutes for detection and the creation of a backup task
**GCP Least Privilege Role Permissions**
* We've improved upon 4 GCP role permissions to adhere to the principle of least privilege:
* `CSSStoragePermissions` is created for each Protected Project to access the objects for that Project
* `CSSMainStoragePermissions` is created to access the CSS Project
* `CloudRunJobsMinimalAccess` is created to utlilize Cloud Run Jobs
* `CSSMainSecretPermissions` is created to manage secrets
**ClamAV Engine Update**
* ClamAV engine has been updated to v1.0.9
**Various Improvements and Bug Fixes**
* Console Settings UI for Terraform deployments have been updated as 'disabled' for the following settings that can only be changed in the module:
* EventBridge Proactive Notifications
* System Tags
* SNS Notifications convert non-BMP symbols to the "?" character to avoid delivery errors
* Console-initiated Agent Settings updates now update CFT instead of the task definition manually
* The Terraform module now has inputs for the Console CPU and Memory, refer to [the module](https://registry.terraform.io/modules/cloudstoragesec/cloud-storage-security/aws/latest?tab=inputs) for all inputs
* Fixed a bug where API Agents would occasionally fail to send notifications to custom EventBridge buses
* Fixed a bug where the /api/scan API fails to resolve private or local IPs
* UI Fixes and Improvements
{% hint style="info" %}
**v9.01.000 Cloud Formation Template**
[v9.01.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.01.000.yaml)
{% endhint %}
## June 2025 - Console: v9.00.003, Agent: v9.00.003
In this release:
* Fixed a bug affecting API Scanning where scan attempts would return a 500 HTTP response
{% hint style="info" %}
**v9.00.003 Cloud Formation Template**
[v9.00.003](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.00.003.yaml)
{% endhint %}
## June 2025 - Console: v9.00.002, Agent: v9.00.002
In this release:
* Fixed a bug affecting Large File Scans
{% hint style="info" %}
**v9.00.002 Cloud Formation Template**
[v9.00.002](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.00.002.yaml)
{% endhint %}
## May 2025 - Console: v9.00.001, Agent: v9.00.001
In this release:
* Fixed a bug affecting Smart Scan and Protect Everything
{% hint style="info" %}
**v9.00.001 Cloud Formation Template**
[v9.00.001](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.00.001.yaml)
{% endhint %}
## May 2025 - Console: v9.00.000, Agent: v9.00.000
In this release:
**Protect Everything**
Adds the ability to Protect all storage containers for comprehensive storage coverage
* Added indicator of storage container protection posture
* Protect AWS, Azure, and GCP buckets in one menu
* Offers exclusion lists
* Containers that were already protected will remain protected if Protect Everything is turned off
**Server-Side encryption for Two-Bucket System**
* Console-created two-bucket systems allow encryption enforcement
**Console-Side Upgrade Improvement**
* Console requires upgrade to latest minor version before upgrade to latest major version
**Vulnerability Patching**
* Various vulnerability fixes have been implemented
**WorkDocs Support Removed**
* AWS is removing support for WorkDocs. We've removed WorkDocs options from the Console
**Various Improvements and Bug Fixes**
* Object tags now support the following symbols: + - = . \_ : /
* Containers now use Rocky Linux instead of CentOS Stream 10
* Agent Config improvements
* Fixed a bug affecting Scan and Skip lists
* Fixed a bug affecting custom EventBridge Buses
* Fixed a bug affecting precreated IAM Roles
* Improved Large File Scan handling
* UI Fixes for the Console Dashboard
{% hint style="info" %}
**v9.00.000 Cloud Formation Template**
[v9.00.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.00.000.yaml)
{% endhint %}
