The number of file open operations during indexed repository searches has been reduced significantly. This increases repository search performance. The speedup is most noticeable in searches that return few results; in some cases such searches run twice as fast as before.

Syslog events collected from Unix hosts are now more compact in repositories, because redundant data is not stored anymore. The optimized Syslog event data takes four to ten times less space than before.

InTrust Deployment Manager user experience has been improved:

• When you work with large collections containing thousands of computers, memory consumption is 30 percent less than before.
• Memory consumption remains consistent throughout the InTrust Deployment Manager session, which was not always the case previously.

The sets of event fields for the Windows Security log and InTrust Server log have been extended to make event records clearer. For details, see the Changes to Event Fields topic.

All SSRS reports in the Windows Report Pack can now handle events from Windows Server 2016 and from prior Windows versions equally well.

For convenience and better visibility, all real-time monitoring rules for attack prevention have been moved to a dedicated “Advanced Threat Protection” rule group. The bindings of those rules to real-time monitoring policies did not change.

The set of attributes for filtering objects in sites and gathering policies has been updated to better match the versions of Windows supported by InTrust. There are now appropriately named attributes for all supported Windows versions, and older Windows versions are now specified by the Legacy Windows (agentless gathering) attribute.

Repository search query processing has been improved to make some previously unsupported search terms work on indexed data. Relevant results are now returned for individual parts of strings containing ampersands, such as "smith&sons". Search terms like "smith" and "sons" didn't return such results before.

InTrust now distinguishes if Syslog events from Linux were generated through the use of sudo. To search for such activity in Repository VIewer, make sure that the Source field is "sudo" and the What fields contains "Permission Request".

The following real-time monitoring rules don't trigger alerts on Debian GNU/Linux hosts:

• SU administrative activity

• Succeeded 'su' command after failed attempts

• Succeeded 'su root' after failed attempts

The format of the dates and times displayed in Repository Viewer is not consistent with the system date and time format settings on the computer where Repository Viewer is running.

When InTrust captures Syslog messages, if the timestamp of a message doesn't contain the year, InTrust may supply the year value incorrectly, so that the event appears to occur in the future.

When hot repository index files are merged together, if a file becomes corrupted, InTrust Server crashes without any error messages. This is an extremely rare situation.

Repository cleanup operations use an excessive number of disk accesses. As a result, cleanup takes a very long time. This behavior can also be interpreted as an attempted attack, and InTrust can be denied access to the repository.

During InTrust upgrade, the installer fails to update information about known named event fields in the configuration database. As a result, an incomplete set of named event fields may be in use after the upgrade.

Repository indexing uses an excessive number of disk accesses. This behavior can be interpreted as an attempted attack, and InTrust can be denied access to the repository.

The predefined custom filters for real-time monitoring rules don't work for events from Windows Server 2016 unless you edit the OS version matching condition in those filters.