23.1 On-Prem Release Notes

Version 23.1 of the Cybereason On-Prem offering contains infrastructure and hardening improvements, as well new functionality introduced to the Cybereason platform.

This article includes highlights of what’s new in Cybereason On-Prem version 23.1. For a full list of all available features, see the Full features list.


Cybereason On-Prem was previously called ‘Private Infrastructure Protection’.

New feature highlights

The following new functionality is included in version 23.1 of the Cybereason On-Prem platform:

Predictive Ransomware Protection

Predictive Ransomware Protection is a new type of ransomware protection that uses a multi-layered detection mechanism to identify typical ransomware behavior and prevent unknown strains of ransomware.

Predictive Ransomware use a number of different components to detect and prevent common ransomware behaviors:

  • Analysis of files and file activity for possible file encryption

  • Detection of shadow copy deletion

  • Detection of modifications of the Master Boot Record

In addition, the Predictive Ransomware Protection section now displays by default in a sensor policy.

For more details, see Predictive Ransomware Protection.

Behavioral Document Protection AI

If you use Behavioral Document Protection, sensors on version 23.1 use Behavioral Document Protection AI. Behavioral Document Protection AI utilizes a machine learning algorithm to analyze documents to identify if they contain malicious macros.

The machine learning algorithm is based on a deep neural network to provide data driven and automated selection of rules to provide enhanced protection from malicious macros contained within documents.

For more details, see Behavioral Document Protection.

Anti-Malware Artificial Intelligence mode for .NET executable files

The Anti-Malware > Artificial Intelligence mode now includes enhanced coverage of .NET executable files, enabling you to more easily find new or unknown types of .NET file misuse.

For more details, see Artificial Intelligence Analysis.

Variant Payload Prevention (VPP) general availability

Variant Payload Prevention performs real-time analysis of the memory executions, which detects every fracture of malicious code. Variant Payload Prevention is now generally available.

Using VPP, you can prevent variations of malicious payloads, like Cobalt Strike and Emotet. VPP monitors the code being loaded into memory and uses Binary Similarity Analysis (BSA) technology and near-match analysis to identify and block obfuscated code that exhibits characteristics of a known malicious payload.

For details, see Variant payload prevention.

Variant file prevention (beta)


This feature is in beta status. Contact your Customer Success Manager to gain access to this feature.

Beginning in this version, the Cybereason platform introduces Variant File Prevention (VFP), a pre-execution prevention engine which uses advanced fuzzy hashing techniques to quickly identify indicative similarities and patterns of known malware families.

Traditional execution prevention solutions, which rely on cryptographic hashes such as MD5, SHA-1, or SHA-256 alone, are easy to bypass. Attackers are aware that any change to the malicious file will completely change its file hash value.

To address this change, VFP compares each file with fuzzy fingerprints that are resistant to changes. Each fingerprint covers many variants of a high-value threat. If a file is found to match the fingerprint, VFP detects it as a MalOp.

For more details, see Variant File Prevention.

NGAV usability improvements

This version also introduces a number of enhancements to improve the performance and usefulness of Cybereason NGAV.

For MalOps generated by Fileless Protection, the MalOps include descriptions for rule-based (pattern) Fileless detection events. These description of the malicious behavior associated with the pattern help analysts better understand the context of the event. You can view the descriptions in the Malop details and Investigation screens.


These descriptions are not available by default. Open a Support case to enable this feature.

In addition, Fileless protection adds significant enhancements to provide better stability over time and accommodate larger environments with numerous exclusions.

Lastly, the Anti-Malware section of your sensor policy adds a Disable USN Journals option in the Signatures section to stop Anti-Malware protection from scanning the Windows USB Journals on a machine.

Assign machine isolation exception rules for different sensor groups

You can now assign machine isolation exception rules to specific sensor groups. This helps limit access to various endpoint machines to your analysts and admins depending on their group permissions.

For details on machine isolation exception rules, see Machine Isolation Exception Rule.

Assign sensors to groups based on OS and FQDN attributes

When creating rules for automatic assignment of sensors to sensor groups, in addition to existing fields, you can now assign sensors based on the operating system type and sensor FQDN.


This feature is not available by default. Open a Technical Support case to enable this feature.

For details on creating rules for automatic assignment of sensors to sensor groups, see Build group assignment logic.

Obfuscation of sensor policy exclusions in sensor logs

On sensors running supported versions of macOS and Linux, sensor policy exclusions are obfuscate to prevent this information from being misused by attackers.

Collect device model and serial numbers from macOS machines

On macOS machines, sensors not collect the Device model and Serial number of the machine to help with investigation and machine identification

New OS support

We have added support for the following operating systems:

  • Windows 10 22H2

  • Windows 11 22H2

  • Windows 11 23H2

  • macOS Sonoma

  • macOS Monterey 12.3 - 12.6

  • macOS Ventura

  • Apple Silicon Mac native (M2), M2 Max, and M2 Pro

  • Rocky Linux 8

  • Ubuntu 22.04

  • RHEL 9

  • AlmaLinux 8.6 and 9.0

  • A Early access version for Linux ARM, including core security functionality. Automatic installation and visibility of these sensors in the Sensors screen is not yet supported.

To get access to the Linux ARM sensor package, open a Support case.

Deployment Updates

Containerized LTI for Air-Gapped environments

The Sage and MongoDB servers are now part of the Microservices server, reducing the network and VM footprint.

For more information see Configure and Populate the Local Threat Intelligence Server.

Post-Deployment Updates

New Feature Manager options

The following features are available by default (and can be enabled as needed):

  • File Search (UI Level)

  • Registry Events

  • File Events

  • Endpoint Controls

  • Sensor anti-tampering (self-protect)

For more information, see Feature Manager.

SSH hardening

  • SSH access is now blocked to all Cybereason servers except the Configuration Management server.

  • SSH access to other servers is available only from the Configuration Management server.

SSO Support

Cybereason supports single sign-on (SSO) authentication for all users. Single sign-on authentication gives administrators better control over password management by allowing them to integrate their company’s current authentication services with the Cybereason platform.

For more information, see Configure SSO.


NTP is a protocol that allows the synchronization of system clocks. Cybereason supports NTP client configuration with up to 6 Servers.

For more information, see How to Configure NTP for On-Prem.

Backup improvements

  • New backup modes for better optimization

  • General optimization and error-handling improvements

For more information, see Back Up Your Cybereason On-Prem Environment.

Additional minor version releases

The following additional minor releases have been released since 23.1 was released for Cybereason On-Prem:

Minor version releases