Skip to content

Changelog

Version: 1.0.42 - Release date: 03/2025

Breaking Changes:

  • The internal EPAS database has been upgraded to a more recent version. All backups of type Full (Offline) from before 1.0.42 are not compatible with the current release. Before updating, please make sure that at least one backup exists of type Full (Online) before proceeding with the upgrade.

Analyser:

  • Password Reuse queries for target types can now retrieve data independently, instead of relying on existing target retrievals from jobs.

Enforcer:

  • Windows Enforcer installations will use TLS 1.2 or higher for password change checks. For existing installations, it is required to Redeploy the Enforcer component, and restart the systems to load the new version.
  • Disabling TLS 1.1 for Enforcer is now possible via the Enforcer » Settings page.
  • Optimize log filtering to allow more granular selections (days, weeks, months). This helps optimize log data for high volume password change environments.
  • Invalid policy assignments are now marked as invalid in the Policy Assignment page.
  • Ability to select empty Organizational Units for mapping policy groups is now possible. This allows prefixed OU selection for empty groups.
  • Cleanup operations have been optimized, allowing better disk space management for EPAS Enforcer password history and password unique rules.

General / System:

  • Disabling TLS 1.1 is now possible for the management and public interface, via the Web Service Settings page.
  • External authentication has been extended to support OpenID Connect implementations. This allows customers to use their own (external) authentication repository, enabling Single Sign On and MFA.- Report Purge functionality has been moved to the
  • Automatic Purge of Report Data functionality has been renamed to Data Retention Policies and moved to a new section of the Security & Compliance area. It has been extended to also cover EPAS Operational Logs and EPAS Enforcer Logs.

EPAS API:

  • The /v3/system/health monitoring endpoint has been adjusted to issue valid JSON schema objects. In particular, hard disk information and static field names have been implemented, to allow better parsing from monitoring solutions.
  • An issue in the MSSQL MASS API endpoint has been resolved, which did not permit CyberArk MASS MSSQL targets to be defined.

Version: 1.0.41 - Release date: 12/2023

Audit Jobs:

  • All Audit Profiles now have an additional profile mode which uses Artificial Intelligence (large language models trained on real-world passwords) to predict potential password candidates. The AI mode permits the use of two different models: a static one trained offline on compromised passwords, and a dynamic one trained on passwords recovered by the EPAS instance.
  • A new option, Syslog alerting is present in all Audit Job definition pages, in the Reporting Options section. This allows report contents (recovered accounts) to be transmitted over to a Syslog server, after the job completes. External Logging needs to be active for this option to take effect.
  • Added several sets of new derivation rules, which improve the performance of the rules steps in password audits. The new rules sets are not used by default, the audit profiles must be updated manually in order to use them.
  • Multiple bug fixes and performance improvement related changes.

Analyser:

  • Password Reuse Queries support automatic target retrieval, for all reuse queries which perform target related password reuse checks.

Reports:

  • Group membership for aggregate reports has been optimized, reducing the disk space required for aggregate reports.

Enforcer:

  • A new matching mode has been added for Policy Assignments for Active Directory targets. This matching mode allows to match A/D Location Prefixes instead of direct membership of the OU. In this matching mode, the organizational unit matching will apply to the user's direct organizational unit, or any organizational units above the direct OU.
  • Logs for Enforcer are now filterable based on their outcome (FAIL/OK). Log export functionality now respects the filtering options.
  • Translations now contain an additional footer field which accepts arbitrary HTML data (from EPAS administrators) and displays it to the user on the bottom side of the public Enforcer password quality check page.
  • Implemented redeploy for Linux servers using EPAS Enforcer.

General / System:

  • Clustering is now supported and allows for EPAS WORKER systems to be functionally grouped into computational clusters that can be explicitly assigned to Audit Jobs. Clustering can be used to define either HPC WORKERs (multiple units acting as a single, faster node, which can be assigned to jobs) or WORKER groups (multiple units grouped together to assign them to audit jobs).
  • Virtual Machine support has been added, allowing EPAS administrators to provision and deploy EPAS AGENT and EPAS WORKER virtual machines on their own Cloud infrastructure. Besides on-premises virtualization, EPAS also supports automatically creating and managing Azure VMs.
  • New licensing options have been added to allow definition of virtual machines.
  • Authentication attempts towards the EPAS console provide a generic error message when the user is locked, to prevent additional information disclosure.
  • Exporting local user metadata (username, fullname, last login and expiration dates) is possible via the User Management section, for re certification purposes.
  • The tilt sensor monitoring has been removed from the EPAS MASTER, due to high number of false-positives.
  • Multiple bug fixes and performance improvement related changes, as well as individual components upgrade.

EPAS API:

  • Job scheduling is now available via API calls.

Version: 1.0.40 - Release date: 09/2022

EPAS Enforcer:

  • An issue causing long synchronization times for EPAS AGENTs while the Enforcer service was synchronizing was resolved.
  • For Microsoft Windows Active Directory and Microsoft Windows Local Accounts Enforcer deployments, it is now possible to use credentials part of the Protected Users group. In this case, Kerberos authentication will be attempted as a fallback, once the standard EPAS deployment fails.
  • The Logs page now allows exporting filtered data, in respect to the time range selected. It is now possible to export logs from the last month, last 3 months or last 6 months.
  • The Redeploy action in the Server Groups > Servers page now also updates the relevant EPAS Enforcer registry settings. This eases redeployment on systems which have had their IP address changed.

Target Systems:

  • EPAS can now use Kerberos authentication during the target retrieval process, for both Microsoft Windows Active Directory, as well as Microsoft Windows Local Accounts target types, whenever a domain credential is used. This allows Protected Users to be used to authenticate to the target system. Note: for the Kerberos fallback to work, a valid DNS configuration must be present on the EPAS MASTER, which is able to resolve the domain FQDN.

Audit Jobs:

  • The standard workflow, whenever saving a new job, has been modified to redirect to the job definition page, instead of the job listing page.

Analyser:

  • Password Reuse Queries support email notification for any queries which make use of target systems. For these queries, it is now possible to select a relevant email template, and enable user notification. All users which have a valid email address stored in the target system (the emailAddress field), will be notified once the report generates.
  • A new mode, Username - Targets has been implemented for Password Reuse Queries. This mode checks for password reuse across the same username, over multiple systems. For example. it can determine if john.smith shares the same password on DEV, PROD and TEST domains. The mode supports email notification and requires a notification target - the domain where the primary email of the notified user(s) is stored in.

Reports:

  • Password Reuse Reports now show if email notification was activated for a particular query, in the Executive Summary page. In addition, a Notification Status tab is present for all reuse queries which have notification enabled.

General / System:

  • User Mail Notification has been redesigned to allow different mail templates per job, or per password reuse query. The single mail template used by customers will automatically be migrated to the new structure.
  • Web Service Settings: it is possible for IDEA cipher suites to be explicitly disabled, in the Web Service Settings page.
  • SSL Settings: all key generation functionality (self-sign, generate CSR) is now using a 4096-bit RSA private key.
  • Content-Security-Policy headers have been updated to disallow external JavaScript to be loaded in the EPAS management interface.

EPAS API:

  • It is now possible to interact with the API for mail template listing, creation and modification. For more information (Swagger/OpenAPI definitions) navigate to the API documentation at https://<epas_hostname>/v3/swagger/index.html on the EPAS MASTER web console.

Version: 1.0.39 - Release date: 05/2022

EPAS Enforcer:

  • A new policy rule is available, which can be used to detect if any accounts use a password in the Compromised password list. The list contains billions of entries and is updated regularly.

  • A new policy rule is available, Dictionary #3 which can be used to detect if accounts use dictionary words in their passwords. This iteration of the dictionary matching rule will stop matching dictionary words if the selected password is longer than a predefined length (e.g. when using passphrases).

  • The password history rule has been optimized for speed, in environments with many passwords changes (~1000 password changes / day).

  • The password uniqueness rule has been optimized for fast response.

  • The Windows (Active Directory, local accounts, Microsoft SQL) has been updated in order to fix several minor issues, and enable more consistent Event Log content.

Target Systems:

  • IMPORTANT: all target systems now also support hostname-based definition. This allows EPAS administrators to add or modify targets in order to use hostname-based addressing, allowing for easier auditing of load-balanced systems or cloud-based, dynamic IP systems.

  • Cisco network devices support has been integrated into EPAS Audit. This allows administrators to add target systems of type Cisco and subsequently schedule audits. Supported systems are: ISE, ASA, IOS, NXOS.

  • MacOS operating system support has been integrated into EPAS Audit. This allows administrators to add target systems of type MacOS and subsequently schedule audits. Supported systems are: MacOS X version 10.7 (Lion) and above.

  • An issue was fixed in the LDAP target system, whenever encountering too many processing/parsing errors from the system.

  • Several issues have been fixed in the WMI (Windows, Active Directory) target: full UTF8 connection passwords are now supported, timeouts for network connect and data transfer have been increased, several unhandled errors are now displayed correctly. The verbosity level has also been increased to aid diagnostics.

  • Several issues have been fixed in the MySQL target processor.

  • Support for keyboard interactive authentication has been added to all targets supporting SSH conections.

Audit Jobs:

  • The standard workflow, whenever saving a new job, has been modified to redirect to the job definition page, instead of the job listing page.

  • Some audit profiles (e.g. File Upload) were skipping configuration screens whenever using the Previous action. This has been resolved.

  • Heavy optimization for all processor modes and hash types.

  • Fixed an error in the Postgres processor.

  • Fixed an error in the MySQL processor.

  • Minor fixes in the LDAP processor.

  • Fix treatment of empty passwords and password with spaces at the end.

  • Fixed a potential crash in the password quality measurement component / PQA.

  • The refresh method of audit progress information has been modified in order to speed up the response.

  • Any errors in the processing on the WORKER module are now presented as warning in the report.

Analyser:

  • -

Reports:

  • -

General / System:

  • The remote backup facility has been updated, and includes an additional backup destination, which enables remote backups on secondary EPAS MASTER systems. This destination is called Disaster Recovery. More information is available under EPAS Audit » Maintenance » Backup & Restore page.

  • Optimized the OOB startup in order to speed up the WORKER modules detection and upgrade.

  • Fixed an error in the AGENT TPM2.0 remote attestation that could result in failed modules.

  • Fixed an error in DHCP IP allocation that could result in failed WORKER modules.

  • Fixed an issue with the regular AGENT maintenance and cleanup, that could result in sporadic failures.

  • Fixed an issue with case sensors on remote units (AGENT). Automatic MASTER shutdown is no longer possible, instead notifications should be used.

  • The current version of EPAS (1.0.39) has been independently tested for security vulnerabilities by WithSecure (ex. F-Secure). The audit report is available upon request.

EPAS API:

  • -

Version: 1.0.38 - Release date: 09/2021

EPAS Enforcer:

  • Windows Active Directory password filter component has been updated to allow golden ticket (krbtgt) password changes and to reduce memory consumption under high CredSSP usage, such as in NPS scenarios.

  • The Credential provider component has been updated to support HID DigitalPersona credential providers. The credential provider is available on every EPAS MASTER at: https://<epas_master_ip>/v2/client_package.zip

  • Fixed a minor error in the notification system, if the notification attribute did not exist, an error was displayed and the provisioning ended successfully, but the notification would not work. Fixed, now the provisioning will fail.

Target Systems:

  • MongoDB support has been integrated into EPAS Audit. This allows administrators to add target systems of type MongoDB and subsequently schedule audits.

  • Linux, BSD and other targets using the SSH connection type now support a new flag, Warn on key mismatch. If enabled, targets with a different SSH host key (e.g. in cloud environments) will no longer fail, but continue the extraction, while logging/warning the mismatched key.

  • All target systems support fail-over IP addresses in their Server field, separated by a comma (,). In case retrieval fails for the first IP address, the other IP addresses will be evaluated, in the order they were defined. This support is also present for the EPAS API, as well as MASS targets.

  • The Connection Test page has been renamed to Advanced. The new section contains the connection test facility, as well as a new option for Microsoft Active Directory and Microsoft Windows Local accounts systems, in order to mitigate the effects of some EDR/AV solutions.

  • Minor typography errors, wording fixes, in the target retrieval workflows.

  • Fixed a critical error in the WMI target extractor which could lead, in some seldom specific cases, to hard disk space exhaustion.

  • Implemented for all WMI target (Windows A/D, Windows Local Accounts) a set of mitigation methods to prevent false positive actions of some EDR/AV solutions that would flag the EPAS hash retrieval as malicious action. Although it is recommended for the EDR/AV vendor to correct the detection methods, these methods would help in most cases. The mitigation methods can be activated under Targets / Connection Test / Advanced.

  • Changed the Windows extractor to allow other jobs to finish retrieval, for example if another EPAS system is retrieving data from the same system at the same time.

  • Fixed RACF Passticket parsing for ICSF-encrypted seeds. HSM protected seeds would have previously resulted in an error.

  • Added support for packet encryption to the WMI operations (execute, shadow copy, file copy).

Audit Jobs:

  • A new Compromised audit mode has been added to all EPAS audit profiles, and audit jobs. The new mode can be activated by changing existing audit profiles and enabling it. The Compromised mode performs a straight dictionary check, at the beginning of every audit job, in order to determine which passwords belong to the compromised category. This allows new password leaks to be uploaded through the new Upload Manager component, and for them to be used in audit jobs, without any intervention from the EPAS user.

  • The Policy Level setting for EPAS Audit password policies has been removed.

  • All dynamic audit job and audit profile hash formats (for custom application audits and file upload) have been updated to support the most recent password hash algorithms and versions.

  • Implemented GPU acceleration for hashes of the following types: Lotus, Sybase, all Blowfish, SAP, other specific modes.

  • Heavy optimization for all processor modes and hash types.

Analyser:

  • Password reuse queries and aggregate queries can now be scheduled and no longer have to be manually executed. See the Aggregate Queries and Password Reuse Queries sections for more information.

Reports:

  • Fixed an issue which did not allowed automatic data removal (purge) settings to be saved.

  • Fixed two errors in report generator that could lead to timeouts and incorrect reports

General / System:

  • The backup/restore component has been overhauled to also allow for Live Backups, which do not affect the availability of the EPAS MASTER system. Scheduling backups, and remote backup locations are also available for the new backup types. More information is available under EPAS Audit » Maintenance » Backup & Restore page.

  • The EPAS update component has been overhauled. EPAS updates, along with EPAS compromised dictionaries, EPAS hot-fixes, as well as remote backup files can be uploaded and applied in the new Upload Manager page.

  • A new integration is available for CyberArk, which allows the EPAS MASTER system to connect directly to a CyberArk Vault, and to retrieve runtime connection credentials from it.

  • Updated the front-end jQuery library to a more recent version, in order to prevent potential security issues.

  • Migrated all non-UTF16 wordlists / dictionaries to UTF8, resulting in the elimination of redundant data and space optimization.

  • Updates all GPU libraries and internal processor drivers to support new models and embed all available hardware vendor optimizations.

  • Implemented OOB IPMI operations for EPAS WORKER and MASTER systems. These operations are available on the EPAS Systems and can be used to power off, power on, or power cycle the managed units.

  • Rewrote the local serial console component to include authentication and additional support functions.

EPAS API:

  • The EPAS API has been updated to add support for the following operations end endpoints. For more information (Swagger/OpenAPI definitions) navigate to the API documentation at https://<epas_hostname>/v3/swagger/index.html on the EPAS MASTER web console.
Endpoint(s) Function Description
/v3/api/targets/<target_id>/mass

/v3/api/targets/{targetId}/mass/{mode}/{identifier}		 Single target operations on MASS definitions Allows create, edit, delete operations on single targets present within a MASS target definition.
/v3/api/system/backups

/v3/api/system/backups/settings

/v3/api/system/backups/{backupId}		 Backup schedule operations Allows backup schedule operations such as listing, adding, modifying and running backup schedules.
/v3/api/system/restorepoints

/v3/api/system/restorepoints/{restorePoint}

/v3/api/system/restorepoints/{restorePoint}/import

/v3/api/system/restorepoints/<restorePoint>/export		 Restore point operations Allows interaction with restore points created by backup schedules. Actions possible are listing, restoring, removal, as well as triggering restore operations
/v3/api/system/updates

/v3/api/system/updates/{updateId}		 Update operations Allows interaction with EPAS uploads such as EPAS updates, EPAS hot-fixes, EPAS compromised dictionaries or remote backups. Actions possible are deletion of non-applied uploaded files as well as uploaded file application.
/v3/api/system/health

/v3/api/system/health/{type}		 Health data endpoint Allows EPAS API clients to query EPAS health data in a structured (JSON) manner.

Version: 1.0.37 - Release date: 05/2020

Documentation:

EPAS Enforcer:

  • A new policy rule has been added (Illegal Characters), to allow blacklisting of individual characters. See the Operation » Policies section for more details.

  • Added support for enforcing Microsoft application passwords leveraging local LSA/SAM within the Windows Local Accounts Enforcer system type. This covers multiple applications, including Microsoft SQL Server local passwords.

  • Dynamic translations to any language are now possible. See the Languages section for more details.

  • Added a new user role, Enforcer - Logs, which allows only log viewing.

  • Added a web-based (PQA) password check interface which uses Enforcer policies.

  • Fixed a non-critical memory allocation bug in the LSA filter. A filter update on existing targets is not necessary.

  • It is possible to replace an AGENT in a clean manner (previous AGENT systems are cleaned up at Enforcer restart)

Target Systems:

  • All data retrieval operations are now performed in the background. The operator can navigate away and return to the retrieval log window as desired.

  • AS/400 targets: Accounts without a password are now included in the report.

  • Windows local accounts targets: Fixed an error in the offline registry parser which could lead to failed retrieval on systems with many local groups.

  • Windows A/D and local accounts targets: Increased debugging in WMI processor to identify file copy issues.

  • Microsoft SQL Server targets: Added dual MSSQL drivers, jTDS and Microsoft, in order to resolve compatibility issues.

  • UNIX targets: Improved handling of accounts locked or without a password.

  • LDAP targets: Fixed an error in the LDAP parser affecting accounts without a password attribute.

Audit Jobs:

  • Standard audit policies have been extended to also include forbidden characters, and to allow changing the number of required character types for Microsoft A/D complexity requirements.

  • Added live retrieval log - the target retrieval progress can now be seen in the job log without waiting for its completion.

  • Fixed several errors which resulted in failed jobs or locked systems (pending reboot) in job processing.

  • Fixed an error affecting the mask mode, which caused fast brute force and hybrid mode to malfunction in some specific cases.

General / System:

  • Added networking configuration on consoles 1 and 2. The same interface present on the serial port 1 is now available if using a keyboard and and VGA monitor.

  • Improved TPM handling code by increasing tolerance to failures (restart and retry).

  • Fixed an issue where the local EPAS firewall was blocking connections to the EPAS MASTER on the Enforcer port.

  • Fixed an issue which prevented to hardware power button to perform a graceful shutdown.

  • Fixed an issue which prevented serial console from starting on kernel 3.2.0 (legacy systems)

  • Fixed an initialization error in startxorg.sh and set_fan.sh for mixed GPUs (law enforcement mode only)

EPAS API:

  • The EPAS API has been implemented for Targets and Reports. For more information navigate to the API section.