5. Hotfix

5.1. Package 1 (HF1 / SHA256)

The GCenter GUM hot patching system was improved.

5.2. Package 2 (HF2 / SHA256)

The current functioning that preserves the health of the GCenter (Emergency Mode) during a peak load was optimised and improved.

The GCenter WebUI logs now contain more information.

A Powershell script analysis could be performed in a loop if the data sent by the detection probe became corrupted. Better error handling corrected this problem.

It is no longer necessary to enter an authentication when configuring GUM for the first time with a local mirror.

The progress bar in GUM during various operations no longer freezes.

Configuring scheduled tasks in GUM was improved.

Hotfix version tracking was implemented in the GCenter WebUI.

The display of Netdata measurement units was corrected. It is now in Megabits.

The visibility of interfaces from the GCenter WebUI was improved. The name of the interface is now associated with its IP address.

The “Suspicious (archived)” indicator in the “Live Critical Indicators” table was corrected, it now displays consistent information.

Netdata monitoring of partitions and backups was added.

Enabling hash calculation of rebuilt files in the GCap profile did not reflect the actual configuration. The display now reflects the true configuration.

After several days of use, it was impossible to export the appliance logs. The 10GB temporary partition used by the GCenter API was the cause of this problem. The location of this was changed. It now includes more storage space enabling the API to prepare the encrypted archive for exporting GCenter logs. During a restore, the GCap folders for analysis and configuration were missing. At startup, the GCenter now makes sure these folders are present.

Configuring a default gateway for interfaces is no longer required.

Warning: applying this patch will cause the GCenter WebUI to restart automatically. A manual page refresh is required.

5.3. Package 3 (HF3 / SHA256)

When exporting alerts with syslog and using the TCP protocol, when a service interruption occurred between the GCenter and the syslog server, the publication of alerts in the database. ElasticSearch was also interrupted.

To take advantage of the security and stability fixes, the ELK version was updated to version 6.8.11. (Link)

GCenter, it was not taken into account. It is now functional.

The GCenter log export now includes more information about system messages.

Data corruption when exporting GCenter logs could occur. This problem was corrected.

A memory leak could occur on the GCenter when applying a scheduled GUM update at a very short interval. This problem was corrected.

In some cases updating the analysis engines via GUM can fail and reach the maximum timeout. Extending the timeout enables the GCenter to perform all necessary updates.

The Emergency Mode was optimised by integrating a better iteration of the files present in the various directories and a better management of the errors linked to MALCORE.

The powershell events reported by CODEBREAKER contained a SHA256 value in the MD5 field. This information was corrected. The powershell and shellcode events reported now have both the SHA256 and MD5 fields. Note: This correction does not apply to older events.

When authenticating with an LDAP server (OpenLDAP only) using TLS and a self-signed certificate at the GCenter, users could not authenticate. This problem was corrected.

Indexing documents from a “flow” event containing a value greater than 256 characters in the “flow.age” field was not possible. The ElasticSearch configuration was modified to correct this issue.

In a GCAP’s advanced configuration, if no ruleset was present during a “Save and Apply” an error 500 appeared on the GCenter WebUI. This problem is now fixed.

The deletion and editing of rulesets updated from version to version could not be done. This problem is now fixed.

5.4. Package 4 (HF4 / SHA256 )

Codebreaker: Improved detection of Powershell scripts and reduced false positive rate.

Licensing: Added to the Gatewatcher GT&C - after applying the hotfix, these are automatically accepted.

Proxy Configuration / External Monitoring Configuration: Entering an incorrect address resulted in a 500 error. The error is now taken care of, displaying an error message.

GUM - Updates: A ruleset was not being updated correctly. The original ruleset had to be regenerated to take into account the new rules included in the update. The update is now automatic.

GUM - Updates: If a new category was added to a source, its activation in a linked rule was not automatic. This update fault was corrected.

Sigflow Manager: If a rule was linked to another rule, deactivating it resulted in a 500 error. It is now possible to disable linked rules without producing an error.

Installing the GCenter in version or upgrading from version to version did not enable reconstructing flow_ids and indexing files deduplicated by the GCap. This problem is now fixed. In addition, it is recommended to install version

Improved event management: Logstash and Filebeat were updated to version 7.9 to improve message processing ( See release note Logstash and release note Filebeat )

The GCenter internal orchestrator now oversees Logstash, enabling error management and recovery.

5.5. Package 5 (HF5 / SHA256 )

GUM - Hotfix: From package 5 onwards, any patch applied is automatically removed from the list as soon as it is implemented. In MPL mode, a patch cannot be applied.

Export Syslog: The pipeline manager was experiencing a restart problem after installing a GCenter version The restart of the GCenter is now operational. Fields were missing from the malware indexes. They have been reapplied. An “uuid” field was added to all the events that were retrieved.

Ruleset - Threshold: Editing a Threshold rule used to require a double generation to work properly. Now the Threshold rule is updated upon the first generation of the ruleset.

GCenter - logs: There was a problem with the export of GCenter logs larger than 10GB. This problem was fixed.

CODEBREAKER - Alerts: Powershell alerts in the KIBANA tables could be interrupted due to unsupported values. Support for these values was added.

SYSLOG -IDMEF: When exporting a syslog in idmef format, the Heartbeats logs were missing. The items are now present. However, the syslog configuration must be reapplied for the patch to be implemented.

GSCAN - PowerShell: Analysis via GSCAN of the PowerShells consistently returned an error message in version The scans now work correctly.

GSCAN - MPL: When MPL functionality is enabled, GSCAN is automatically disabled by the GCenter. Enabling GSCAN is not possible while this feature is active.

Alerts: No shellcode or malware alerts were reported in Gatewatcher tables in version This problem was corrected.

Sigflow - Custom Source: editing a custom source was getting an error message. It is now possible to edit a custom source.

Malcore - Alerts: An inconsistency between the “engine_id” and “total_found” fields was occurring. This was rectified.

5.6. Package 6 (HF6 / SHA256 )


This HF must be applied as an upgrade (which implies a reboot). It is impossible to apply this patch as a hotfix, because it includes -among other things- a kernel patch that cannot be applied hot.


HF6 can only be applied on a GCenter in v100 HF5. Other upgrade paths are not supported.


After the upgrade, the malcore engine must be updated. If you are in online mode (see Administrator > GUM > Config), this may take up to 15 minutes. In offline mode, you must apply a manual update for malcore to become functional.


The files to be used to update the sigflow and malcore engines are no longer the same.

The manual download of the updates is done from https://update.gatewatcher.com/update/ :

  • latest_sigflow_v3.gwp is the update of the sigflow rules.

  • latest_malcore_v3.gwp is the malcore engine update.

  • latest_full_v3.gwp is the combined malcore and sigflow updates.


When switching to HF6, the bug:ref:malcore profile not preserved <known_bug_profile_malcore_non_preserve> may occur. Also,:ref:only 15 antiviral engines will be available <known_bug_engine_disable>.

Kernel - IPSEC module instability: The linux kernel had a module related to ipsec that could cause kernel errors (kernel oops). This problem was corrected. (see:ref:known bug <known_bug_kernel_ipsec>)

Malcore upgrade: Malcore was upgraded to version 4, enabling improved stability and fixing many issues. (see:ref:accumulation of files <known_bug_accumulation_tmp>, association de fichiers, absence de flow_id )

Mapping malcore fields: The mapping of the log fields produced by malcore is now identical to that of version documented here: https://docs.gatewatcher.com/fr/gcenter/2.5.3/101/definition_des_alertes/definition_des_alertes.html#malcore

Improved stability of the GOASM engine: the shellcode analysis engine was revised to enhance its stability.

Web interface security improvements: CSRF vulnerabilities were fixed.

Internal component updates: Gcenter’s internal components such as the web server engine were updated.

5.7. Package 7 (HF7 (mode upgrade) / SHA256 // HF7 (mode hotfix) / SHA256)

Package HF7 updates internal GCenter product licenses and must be imperatively applied before 12/31/2021. This hotfix must be applied on a v100-HF6 GCcenter (it can be done in upgrade or hotfix mode).