Back to Documentation

Release Notes - Version 2.0.1.47

TYCHON Quantum Readiness Scanner

Version 2.0.1.47

Latest Release

Release Date: January 23, 2026

What's New in This Release

Version 2.0.1.47 introduces significant improvements to output flexibility, data quality, and enterprise deployment compatibility. This release includes critical bug fixes for Windows path handling and FlatNDJSON formatting, plus a powerful new feature for controlling output verbosity and splitting datasets.

✨ New Features

TQR-254

Split Outputs and Detail Level Control

Introduces two powerful features for managing scanner output: Split Outputs and Detail Level Control.

Split Outputs (-split-outputs):
  • • Break up scanner output into separate files per dataset (quantum, network, memory, filesystem, keystore, outlook, vpn, ipsec)
  • • File naming pattern: {base}_{dataset}.{ext}
  • • Automatically skips empty datasets
  • • Works with all formats except cbom,html, and eventlog
  • • Use -keep-consolidated to create both split and consolidated files
Detail Levels (-detail-level):
  • Full: All fields (current behavior, 0% reduction)
  • Standard: Removes verbose/technical fields like raw PEM data, signatures, modulus (30-40% reduction)
  • Minimal: Essential fields only - security status, PQC flags, key crypto params (60-70% reduction)

Benefits: Easier parsing of large scan results, reduced storage requirements (up to 70%), faster SIEM ingestion, better performance for streaming analytics.

🐛 Bug Fixes

TQR-169 RESOLVED

Fixed: Windows Path Validation Error with Parentheses

Issue: Scanner rejected Windows paths containing parentheses () or brackets [] as "dangerous characters", causing BigFix deployments to fail.

Example Error: C:\Program Files (x86)\BigFix Enterprise\... was incorrectly flagged.

Resolution: Removed parentheses and brackets from dangerous character validation. These are legitimate in Windows file paths and pose no security risk. Truly dangerous shell metacharacters (|, &, ;, `, $) remain blocked.

TQR-253 RESOLVED

Fixed: Missing Dataset Type in FlatNDJSON Output

Issue: FlatNDJSON format output did not include tychon.type field, making it impossible to distinguish between datasets (cipherscan, memoryscan, ipsec, etc.) when parsing NDJSON lines.

Resolution: Added tychon.type field to all FlatNDJSON output lines, consistent with the standard NDJSON format. Each line now clearly identifies its dataset type.

TQR-189 RESOLVED

Fixed: Scanner Outputs Unrequested Archived Datasets

Issue: Scanner included archived/inactive data from unrelated scan types. For example, requesting only -filesystemscan would still output archived cipher scan results.

Resolution: Scanner now only outputs results from explicitly requested scan types. Archived data is excluded unless the corresponding scan mode is active.

TQR-252 RESOLVED

Fixed: Missing Process Information for Archived Items in FlatNDJSON

Issue: When using FlatNDJSON output format and a cipher/library is marked as inactive (no longer running), the output includes the cipher data but omits process information (PID, process name, path).

Resolution: Archived/inactive items now retain all metadata fields including process information for historical tracking and compliance reporting.

TQR-262 RESOLVED

Fixed: Full Scan Hangs on OneDrive Files On-Demand

Issue: Filesystem scans would hang indefinitely when encountering OneDrive Files On-Demand (cloud storage files not fully downloaded). The scanner attempted to read cloud-only files, triggering automatic downloads that caused timeouts and scan failures.

Resolution: Enhanced file processing logic to detect and skip cloud storage placeholder files (OneDrive, SharePoint, and other cloud providers). Scans now complete successfully without attempting to download cloud-only content.

🛡️ Security Enhancements

TQR-256 RESOLVED

DoD STIGS Compliance: OpenSSL Extraction to Binary Directory

Security Issue: DoD Security Technical Implementation Guides (STIGS) prevent execution from temporary directories (/tmp, /var/tmp, %TEMP%) on protected endpoints. Scanner previously extracted embedded OpenSSL to temp directories, causing failures on DoD-hardened systems with noexec mounted temp directories.

Resolution: Changed OpenSSL extraction to use timestamped hidden subdirectories in the binary's own directory:

  • • Extract to .tychon_<unix_timestamp>/ subdirectory
  • • Fresh extraction every run with SHA-256 integrity verification
  • • Automatic cleanup at exit (zero persistence)
  • • Unique timestamp per execution prevents concurrent execution conflicts
  • • Falls back to temp directories only if binary directory not writable (with warning)

Benefits: DoD STIGS compliant, concurrent execution safe, secure (hash verification + fresh extraction + zero persistence), self-contained deployment.

🔧 Improvements & Enhancements

  • Enhanced BigFix/SCCM Compatibility: Output path validation now supports standard enterprise deployment tool paths including those with parentheses and spaces.
  • Improved NDJSON Format Consistency: Both Tychon NDJSON and FlatNDJSON formats now include dataset type identifier for easier parsing in SIEM pipelines.
  • Flexible Output Sizing: New detail levels allow users to balance between comprehensive forensic data (Full) and lean dashboard metrics (Minimal).
  • Better Data Organization: Split outputs feature enables dataset-specific processing in data pipelines, improving parallel processing and reducing memory overhead.

Upgrade Notes

  • Breaking Change: FlatNDJSON output now includes tychon.type field. Existing parsers may need updates to handle this new field.
  • Default Behavior Unchanged: Split outputs and detail levels are opt-in features. Existing deployments will see no change in output behavior unless new flags are used.
  • Windows Path Fix: BigFix and SCCM users should re-test deployments with paths containing parentheses - these will now work correctly.

⚠️ Known Issues

TQR-254

Minimal Detail Level Creates Empty Files with Split Outputs

Issue: When using -detail-level minimal in conjunction with -split-outputs, the scanner creates output files but they may contain no data or only minimal top-level metadata.

Affected Scenarios:

  • • Using -mode local -fullscan -split-outputs -detail-level minimal
  • • Files are created but datasets contain empty or incomplete data
  • • Works correctly when using -detail-level standard or -detail-level full

Workaround: Use -detail-level standard instead of minimal when using -split-outputs. Standard detail level provides a good balance of size reduction (30-40%) while ensuring all datasets contain valid data.

Status: Fix in progress. Will be resolved in the next patch release.

Command-Line Examples

Split Outputs with Standard Detail Level:

certscanner -mode local -fullscan -split-outputs -detail-level standard \
    -output /path/to/scan_report.json

Creates separate files: scan_report_quantum.json, scan_report_network.json, etc. with reduced verbosity.

Minimal Output for Dashboard Analytics:

certscanner -mode local -cipherscan -detail-level minimal \
    -output scan_dashboard.json

60-70% size reduction, includes only essential security metrics.

BigFix Deployment with Parentheses in Path:

certscanner -mode local -fullscan \
    -output "C:\Program Files (x86)\BigFix Enterprise\scans\report.json"

Now works correctly with Windows paths containing parentheses.

📚 Documentation

Main Documentation
Complete usage guide
Previous Release (2.0.0.169)
View previous release notes
Return to Main Documentation