# Latest (v9) {% hint style="danger" %} \*\***IMPORTANT\*\*** * **Please upgrade your Linked Account Roles to v1.14.001 or later BEFORE upgrading your console/agent to v9.**\ If you do not upgrade your Linked Account Roles then you could experience problems when using EventBridge. [Click here](/product-upgrades.md#linked-account-role-updates) to learn more about Linked Account Updates. * **Please upgrade your console/agent to the** [**latest current version**](/trouble-shooting/error-when-upgrading-to-the-latest-major-version.md) **you're currently on before you can upgrade to the next major version.**\ For example, if you are on v8, you'll need to upgrade v8.08.002, then upgrade to v9. {% endhint %} ### May 2026 - Console: v9.09.002, Agent: v9.09.002 In this release: **Security and Dependency Updates** * Updated underlying libraries to the latest .NET 10 release to address known vulnerabilities * Resolved a cryptography library buffer overflow vulnerability * Updated fast-xml-parser to address npm security advisories * Removed an unused XML cryptography library from the Internal API to reduce attack surface {% hint style="info" %} **v9.09.002 Cloud Formation Template** [v9.09.002](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.09.002.yaml) {% endhint %} ### May 2026 - Console: v9.09.001, Agent: v9.09.001 In this release: **Volume Selection Environment Variable** * Added the LARGE\_FILE\_VOLUME\_TYPE\_DEFAULT Console environment variable * Defaults to gp2 by default, can be set to gp3 {% hint style="info" %} **v9.09.001 Cloud Formation Template** [v9.09.001](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.09.001.yaml) {% endhint %} ### April 2026 - Console: v9.09.000, Agent: v9.09.000 In this release: **API Agent – CloudFormation and Terraform Deployment** * The API Agent can now be deployed and managed directly through CloudFormation and Terraform * Simplifies provisioning for teams using infrastructure-as-code workflows * Available as a parameter in the CloudFormation Template and via the [Terraform registry](https://registry.terraform.io/modules/cloudstoragesec/cloud-storage-security/aws/latest) **AWS Organizations Support – Terraform** * AWS Organizations account linking, introduced in v9.08.000, is now also supported through Terraform * Automatically provisions Linked Accounts discovered via AWS Organizations during Terraform deployments * Refer to the [Terraform registry](https://registry.terraform.io/modules/cloudstoragesec/cloud-storage-security/aws/latest) for configuration details **API – Scan and Upload Enhancements** * **Presigned URL Upload**: The Scan and Upload endpoint now accepts a presigned destination URL. Clean files are uploaded directly to the provided URL rather than requiring a destination bucket configuration * **Unscannable and Error File Handling**: API Agent Settings now include a configurable option to upload unscannable and error files in addition to clean files during the Scan and Upload workflow
\ **Results – Storage Breakdown Metadata** * The Storage Breakdown section under ‘See What’s Infected → AV Results’ now includes two additional columns: * Account ID of the storage resource * Resource ARN
**Various Improvements and Bug Fixes** * The Bucket Protection page now defaults to "Show All" for improved usability * Large File Scan downloads now include retry logic for improved reliability on transient network errors * Renamed "Security Hub" to "Security Hub CSPM" under AWS Integrations for clarity * EC2 Scan Task Definition updated to resolve a Security Hub ECS compliance finding * Updated urllib3 to version 2.6.0 to address CVE-2025-66471 * Removed the legend text from the Automatic Protection page * Fixed a bug affecting EFS file quarantine operations * Fixed a bug where large multipart uploads during event scanning could exhaust available disk space * Fixed an issue preventing the Manage Accounts page from loading in GovCloud environments * Fixed bugs affecting Async API scanning operations and notification response format * Fixed a GCP deployment permissions issue {% hint style="info" %} **v9.09.000 Cloud Formation Template** [v9.09.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.09.000.yaml) {% endhint %} ## April 2026 - Console: v9.08.002, Agent: v9.08.002 In this release: **Updated our SSL Certificate.** Be sure to update to this version to avoid SSL browser errors! {% hint style="info" %} **v9.08.002 Cloud Formation Template** [v9.08.002](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.08.002.yaml) {% endhint %} ## March 2026 - Console: v9.08.001, Agent: v9.08.001 In this release: **Various Improvements and Bug Fixes** * New Proactive Notification: AsyncAPIScanError * Notification sent if Async API scans are initiated on nonexistent files {% hint style="info" %} **v9.08.001 Cloud Formation Template** [v9.08.001](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.08.001.yaml) {% endhint %} ## March 2026 - Console: v9.08.000, Agent: v9.08.000 In this release: **AWS Organizations Support** * AWS Organizations can be used to automatically provision Linked Accounts * Deploy alongside StackSet for account discovery and setup * Access feature in Access Management > Manage Accounts > Link Account
**Storage Gateway Support** * CSS Application can consume Storage Gateway notifications * Refer to [Storage Gateway Configuration](/how-it-works/object-scanning/event-driven-scanning.md#storage-gateway-configuration) for setup instructions **Large File Scan instance size settings** * 'EC2\_INSTANCE\_TYPE\_OVERRIDE' environment variable option added to Console Task Definition * Set environment variable to EC2 Instance Type (e.g. 't3.large') for Large File Scan configuration **Various Improvements and Bug Fixes** * Host-Header values are no longer utilized in the application * API-Only users are restricted from using Console API calls * Sophos engine updated to v3.97 * Improved job handling and object cleanup for Scan Existing functionality * Fixed a bug with the Proxy for All AWS Services feature * Fixed a bug affecting NTFS EBS scans for Data Classification * UI Improvements and Fixes {% hint style="info" %} **v9.08.000 Cloud Formation Template** [v9.08.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.08.000.yaml) {% endhint %} ## January 2026 - Console: v9.07.000, Agent: v9.07.000 In this release: **Updating azure-core to 1.38.0** * Updated azure-core (pip) to v1.38.0 to avoid a deserialization vulnerability **Various Improvements and Bug Fixes** * Fixed an issue affecting Retro scans in GCP * Improved Azure logging {% hint style="info" %} **v9.07.000 Cloud Formation Template** [v9.07.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.07.000.yaml) {% endhint %} ## January 2026 - Console: v9.06.000, Agent: v9.06.000 In this release: **Two-Bucket Prefix transfer option** * For the Console two-bucket system, Retro and Scheduled scans now provide the option to include prefixes when moving Clean files to a destination bucket * Toggle OFF will append the prefix of the object to the destination prefix * Toggle ON will only move object name to the destination prefix * Toggle feature in the Retro or Scheduled Scan menus
**Two-Bucket Cross-region transfers** * Console-set Two-Bucket feature supports cross-region bucket transfers. Configure Two-Bucket system in Configuration > Scan Settings **Various Improvements and Bug Fixes** * Bucket auto-protection tag feature applies EventBridge protection to S3 buckets if an 'All object create events' Event Notification already exists * Fixed a Terraform bug affecting EBS scanning in linked accounts * Large File Scan jobs kicked off by the API Agent create jobs in the file region instead of the API Agent region {% hint style="info" %} **v9.06.000 Cloud Formation Template** [v9.06.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.06.000.yaml) {% endhint %} ## December 2025 - Console: v9.05.001, Agent: v9.05.001 In this release: **Various Improvements and Bug Fixes** **API Agent can track HTTP requests** * After the API Agent has deployed, modify the Task Definition and add a new key of 'ENABLE\_HTTP\_LOGGING' with a value of 'true' * Monitor the ECS.{appid}.API log group for incoming HTTP messages
**Proxy setting can be set to process all outbound traffic** * In the CloudFormation settings, set 'Use Proxy For All Requests' to 'Yes' * For more information on private deployments, consult
{% hint style="info" %} **v9.05.001 Cloud Formation Template** [v9.05.001](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.05.001.yaml) {% endhint %} ## December 2025 - Console: v9.05.000, Agent: v9.05.000 In this release: **Terraform now supports CMK encryption for CSS-created S3 Buckets** * Automatically applies on Application buckets and new Quarantine buckets * Utilize the 'use\_s3\_cmk\_arn' parameter to enable this feature * Link to Terraform registry here: **API Agent requests now support Transfer-Encoding header**
**Improved scan times for Azure event-based scanning** * Improving file scan time consistency for similar-size files **Uploaded-By and Virus-Name tags now returned to Infected Object tags** * Uploaded-By tag lists the entity that uploaded the infected file * Virus-Name tag lists discovered virus type **Various Improvements and Bug Fixes** * KubernetesClient has been updated to 17.0.14 * NuGet dependencies have been upgraded * Automatic Scanning Protection menu UI has been removed for DC, as it is an AV-only feature * Fixed an issue where EC2 EBS Scans would fail to provision * Fixed a bug where EC2 DC-based scans were occasionally failing on partitioned EBS Volumes * UI Improvements and Fixes {% hint style="info" %} **v9.05.000 Cloud Formation Template** [v9.05.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.05.000.yaml) {% endhint %} ## November 2025 - Console: v9.04.000, Agent: v9.04.000 In this release: **API Scan and Upload endpoint now uploads with tags and metadata** * API Agent can now upload Clean files with tags and metadata upon request * Use headers for binary uploads and form fields for multipart form uploads * Read more at the [API Driven Scanning page](https://help.cloudstoragesec.com/how-it-works/object-scanning/api-driven-scanning#api-scan) **Cognito Rate Limiting Error Added** * Updated API Request response to return 429 HTTP response when Token hits Cognito rate limit error **Sophos Engine Update** * Sophos engine updated to v3.96.1 **CSS Premium SDK Update** * CSS Premium SDK updated to 3.10.1.346 **Various Improvements and Bug Fixes** * Updated System.Text.RegularExpressions (NuGet) to v4.3.1 to avoid a Denial of Service vulnerability * When AllowAccessToAllKmsKeys is set to 'No', Console permissions are limited to remove KMS access * Fixed a bug affecting License mode switches between PayG and BYOL * Fixed a bug causing discrepancies in the Storage Breakdown and Summary section in the AV Results page * UI Improvements and Fixes {% hint style="info" %} **v9.04.000 Cloud Formation Template** [v9.04.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.04.000.yaml) {% endhint %} ## October 2025 - Console: v9.03.002, Agent: v9.03.002 In this release: **Scan Results for Async API Scans Include Reference IDs** * The Agent.ScanResults log group now includes ReferenceIDs for /api/ScanAsync/\* class calls. Utilize the GET /api/ScanAsync call with the Reference ID to return a scan verdict
{% hint style="info" %} **v9.03.002 Cloud Formation Template** [v9.03.002](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.03.002.yaml) {% endhint %} ## October 2025 - Console: v9.03.001, Agent: v9.03.001 In this release: **Various Improvements and Bug Fixes** * Fixed a bug affecting the Multi-Engine File Size Scanning mode * UI improvements and fixes {% hint style="info" %} **v9.03.001 Cloud Formation Template** [v9.03.001](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.03.001.yaml) {% endhint %} ## October 2025 - Console: v9.03.000, Agent: v9.03.000 In this release: **API – Asynchronous Scanning Invocations** We've added support for asynchronous API scanning.
* Enable the feature in API Agent Settings > Enable Asynchronous Scanning * POST /api/ScanAsync/Existing takes an S3 object path returns a referenceId to retrieve the job status and verdict * POST /api/ScanAsync takes an object returns a referenceId to retrieve the job status and verdict * POST /api/ScanAsync/url takes a URL and returns a reference Id to retrieve the job status and verdict * POST /api/ScanAsync/Cancel takes a referenceId to cancel the job * GET /api/ScanAsync takes a referenceId and retrieves the job status and verdict **EKS Support for Antivirus** * Added support for running the antivirus on Amazon EKS. Enable this feature in the CloudFormation template under Deployment Type **CMK For CSS Application Buckets** * Added parameter in CFT to use CMK on CSS application buckets
**Sophos Engine Update** * Updated the Sophos engine to **v3.95.1**. **Various Improvements and Bug Fixes** * Automatic Scanning Protection menu is now turned off by default and enabled via Configuration > Console Settings > Automatic Scanning Configuration * Improved handling in GCP for projects missing the Service Account API. If the Storage API is absent, it is now added automatically. * Enabled **“Drop invalid header fields”** by default on the API load balancer. * Reduced recovery time for CSS Secure when engine errors occur. * Fixed a bug affecting EBS Retro Scan Jobs * Fixed an error when deleting the application using the **Delete Application** button. * Fixed an issue with cancellation tokens when a task shuts down. * Fixed an unexpected error when loading job details for classification jobs. * Fixed an upgrade issue in GovCloud when using the Console UI on the latest versions. * UI Improvements and Fixes {% hint style="info" %} **v9.03.000 Cloud Formation Template** [v9.03.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.03.000.yaml) {% endhint %} ## September 2025 - Console: v9.02.001, Agent: v9.02.001 In this release: * Added the ability to change the CPU and memory for large file scanning jobs by setting the following environment variables in the console task: * JOB\_CPU\_OVERRIDE * JOB\_MEMORY\_OVERRIDE * Fixed a bug in the console service that caused an excessive number of requests to DynamoDB. * Improved the accuracy of data on the Summary, Dashboard, and Storage Breakdown pages. {% hint style="info" %} **v9.02.001 Cloud Formation Template** [v9.02.001](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.02.001.yaml) {% endhint %} ## August 2025 - Console: v9.02.000, Agent: v9.02.000 In this release: **GCP Event-Based Scanning** * Event-Based scanning for GCP is now available, scan files in real-time as they enter GCP Buckets * Enable in Malware Scanning > GCP
**License Management UI Updates** * When the account is low on data in BYOL Mode, users will receive a new Prepaid Data Details page explaining the logic behind prepaid data
**New Console APIs** We've added 4 new Console APIs. The 3 new Monitoring APIs closely match our 'See What's Infected' > 'AV Results' page in the Console
* GET Monitoring/Results/Summary returns information on data scanned, total size, and number of objects for each time for the time-frame requested * GET Monitoring/Results/Account returns information on data scanned, total size, and number of objects for each account * GET Monitoring/Results/Container returns information on data scanned, total size, and number of objects for each container The new Proactive Notification API affects existing Proactive Notifications.
* PATCH ProactiveNotifications/{subscriptionid} allows modification of an existing Proactive Notification **Azure Improvements** * Azure Linked Accounts can now be deployed with Terraform. Please consult our [Linking an Azure Account](/console-overview/access-management/linked-accounts/linking-an-azure-account.md#deploying-via-terraform) page for more details * Blobs moved into Azure quarantine are now tagged with their respective attributes (Quarantine, Error, Unscannable) * Fixed a bug in Azure where the Console was unable to retrieve private network access Storage Containers * Fixed a bug where the CSS Bicep Template was occasionally failing to deploy **Sophos Engine Update** * Sophos engine updated to v3.95.0 **Restricted Bucket UI Improvement** * Buckets that cannot be accessed due to our Restrict Bucket Access by Prefixes feature will be marked with a yellow ![](/files/JNcnLr8atYzCmnfOpELs) symbol **Various Improvements and Bug Fixes** * Reduced ClamAV engine timeout threshold from 5 to 2 minutes * API Scan Existing file volume is now added to the Storage Breakdown table * GCP Buckets now properly show as conflicted if protected by another Console * GCP Buckets that are created by the Terraform Linked Account template do not show up in the Console * Improved the response time of unresponsive API Agent replacement * Extended the credential timeout of cross-account Large File Scans * Fixed a bug where MFA was failing to disable * Fixed a bug affecting Large File Scan tagging in cross-account scanning * Fixed a bug affecting Data Classification scanning * Fixed a bug affecting quarantine buckets when limiting general bucket access * UI Improvements and Fixes {% hint style="info" %} **v9.02.000 Cloud Formation Template** [v9.02.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.02.000.yaml) {% endhint %} ## July 2025 - Console: v9.01.003, Agent: v9.01.003 In this release: * Fixed a bug where Azure linked accounts were occasionally unable to ingest some Storage Accounts for protection. {% hint style="info" %} **v9.01.003 Cloud Formation Template** [v9.01.003](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.01.003.yaml) {% endhint %} ## July 2025 - Console: v9.01.002, Agent: v9.01.002 In this release: * Added additional coverage for the bug affecting Cognito's JWT upon user login to the Console. {% hint style="info" %} **v9.01.002 Cloud Formation Template** [v9.01.002](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.01.002.yaml) {% endhint %} ## July 2025 - Console: v9.01.001, Agent: v9.01.001 In this release: * Fixed a bug affecting Cognito's JWT upon user login to the Console. {% hint style="info" %} **v9.01.001 Cloud Formation Template** [v9.01.001](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.01.001.yaml) {% endhint %} ## June 2025 - Console: v9.01.000, Agent: v9.01.000 In this release: **New Console APIs** We've added 3 new Console APIs to manage Proactive Notifications.
* GET API ProactiveNotifications retrieves all existing Proactive Notifications * POST API ProactiveNotifications creates a new Proactive Notification * GET API ProactiveNotifications/{subscriptionId} retrieves information about an existing Proactive Notification **Enable EBS Encryption** * When enabled, all new EBS volumes will be created with encryption. * Enable feature in Configuration > Scan Settings > Enable EBS Encryption
**Event Agent Stall Protection** * The application now detects and restarts stalled Event Agents if they are unresponsive * This process can take around 20-30 minutes for detection and the creation of a backup task **GCP Least Privilege Role Permissions** * We've improved upon 4 GCP role permissions to adhere to the principle of least privilege: * `CSSStoragePermissions` is created for each Protected Project to access the objects for that Project * `CSSMainStoragePermissions` is created to access the CSS Project * `CloudRunJobsMinimalAccess` is created to utlilize Cloud Run Jobs * `CSSMainSecretPermissions` is created to manage secrets **ClamAV Engine Update** * ClamAV engine has been updated to v1.0.9 **Various Improvements and Bug Fixes** * Console Settings UI for Terraform deployments have been updated as 'disabled' for the following settings that can only be changed in the module: * EventBridge Proactive Notifications * System Tags * SNS Notifications convert non-BMP symbols to the "?" character to avoid delivery errors * Console-initiated Agent Settings updates now update CFT instead of the task definition manually * The Terraform module now has inputs for the Console CPU and Memory, refer to [the module](https://registry.terraform.io/modules/cloudstoragesec/cloud-storage-security/aws/latest?tab=inputs) for all inputs * Fixed a bug where API Agents would occasionally fail to send notifications to custom EventBridge buses * Fixed a bug where the /api/scan API fails to resolve private or local IPs * UI Fixes and Improvements {% hint style="info" %} **v9.01.000 Cloud Formation Template** [v9.01.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.01.000.yaml) {% endhint %} ## June 2025 - Console: v9.00.003, Agent: v9.00.003 In this release: * Fixed a bug affecting API Scanning where scan attempts would return a 500 HTTP response {% hint style="info" %} **v9.00.003 Cloud Formation Template** [v9.00.003](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.00.003.yaml) {% endhint %} ## June 2025 - Console: v9.00.002, Agent: v9.00.002 In this release: * Fixed a bug affecting Large File Scans {% hint style="info" %} **v9.00.002 Cloud Formation Template** [v9.00.002](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.00.002.yaml) {% endhint %} ## May 2025 - Console: v9.00.001, Agent: v9.00.001 In this release: * Fixed a bug affecting Smart Scan and Protect Everything {% hint style="info" %} **v9.00.001 Cloud Formation Template** [v9.00.001](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.00.001.yaml) {% endhint %} ## May 2025 - Console: v9.00.000, Agent: v9.00.000 In this release: **Protect Everything** Adds the ability to Protect all storage containers for comprehensive storage coverage * Added indicator of storage container protection posture * Protect AWS, Azure, and GCP buckets in one menu * Offers exclusion lists * Containers that were already protected will remain protected if Protect Everything is turned off
**Server-Side encryption for Two-Bucket System** * Console-created two-bucket systems allow encryption enforcement
**Console-Side Upgrade Improvement** * Console requires upgrade to latest minor version before upgrade to latest major version **Vulnerability Patching** * Various vulnerability fixes have been implemented **WorkDocs Support Removed** * AWS is removing support for WorkDocs. We've removed WorkDocs options from the Console **Various Improvements and Bug Fixes** * Object tags now support the following symbols: + - = . \_ : / * Containers now use Rocky Linux instead of CentOS Stream 10 * Agent Config improvements * Fixed a bug affecting Scan and Skip lists * Fixed a bug affecting custom EventBridge Buses * Fixed a bug affecting precreated IAM Roles * Improved Large File Scan handling * UI Fixes for the Console Dashboard {% hint style="info" %} **v9.00.000 Cloud Formation Template** [v9.00.000](https://css-cft-versions.s3.amazonaws.com/ConsoleCloudFormationTemplate-v9.00.000.yaml) {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.cloudstoragesec.com/release-notes/v9.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.