Tanium Comply supports CLM

Good day all!

A few years ago I found a bug in the Tanium Comply module which they tracked in COMPLYCX-765. Not publicly visible, unfortunately. As of January 2024 it is fixed. The default engine in Tanium Comply finally works on WDAC & CLM hardened endpoints. Huzzah!

It's worth noting that the the "Tanium Scan Engine" is Artic Wolf's Joval internally; it is visible in code comments and behavior. In a way I understand why it took so long to address my issue. It's two mammoth companies and a fix for a relatively small segment of the market.

I've been periodically reviewing the release notes, and following up with our TAM on getting this addressed. To date, I haven't had any official response or acknowledgement that this has been addressed; as of the time of this article, all the official documentation still claims this configuration doesn't work.

The diagnostics I previously performed, and the fix I proposed turned out to be exactly how it ended up being resolved. Instead of passing untrusted commands via the PowerShell's command line interpreter, create a script file with whitelisting support. I love when I can see around a corner to get an issue fixed!

This is a huge step forward for me. The alternative scan engine we have been using is vulnerable to log4j, out of date, unsupported, and generally painful to work with. I'm glad it was available and covered me while it was needed, but it is very much feels like an afterthought. Who wants to manually edit XML files, especially in a system without good version control?

If you have further interest in Tanium Comply please stay tuned. I also have some interesting insight as to what the current release of Interact covers, and what it doesn't.