Release 4.1.0

[jjxtra]

🔒 Security hardening

• Verified auto-updates. The auto-update channel previously downloaded a binary from GetUrlUpdate and executed it directly as a privileged process — a MITM or compromised update URL meant arbitrary code execution. Updates now require a new GetUrlUpdateSha256 config value: the download is SHA-256 verified against the operator-supplied hash before running. If no hash is configured, the binary is downloaded but not executed (safe default, explicit opt-in). Mismatches are rejected and logged.
• Argument-injection-safe process execution. External-program invocation now tokenizes the config-supplied argument template once and substitutes placeholders (e.g. ###USERNAME###) into individual ArgumentList entries, so an attacker-controlled username can never inject extra argv slots. Added TokenizeArguments, BuildStartInfo, and CleanLogData (log sanitization for quotes / newlines / tabs).

🐛 Bug fixes & reliability

• Legacy DB schema crash fix. ParseIPAddressEntry now guards every column read with IsDBNull, so older databases (created before the BanEndDate / UserName / Source columns existed) no longer crash queries on legacy rows. BanEndDate null-handling was also corrected to check its own column instead of BanDate.
• Lock-correctness fix in threat uploader. AddIPAddressLogEvents was locking the caller-supplied events parameter (shadowing the field), leaving the actual field unprotected. The filter now runs outside the lock and the lock correctly targets this.events.
• FQDN construction fix. Hostname/domain joining was rewritten into CreateFullyQualifiedDomainName with proper trailing-dot trimming and duplicate-suffix avoidance.
• Skip empty config/start/update URLs rather than firing pointless requests.
• Edit-distance guard added to username-whitelist matching.
• Rule prefix fixes for Linux iptables and firewalld.

⚡ Performance

• Performance and test-speed improvements across AsyncQueue, AsyncReaderWriterLock, LockedEnumerable, LevenshteinUnsafe, ProcessUtility, and the CPU / disk / IOPS usage paths in OSUtility.

🧱 Windows firewall

• Substantial Windows firewall rule create / migrate / delete cleanup, plus additional cleanup of stale rules.

🔍 Detection

• New RDP failed-login parsing rule and additional log-event test coverage.

🛠️ Platform & build

• Targeting .NET 10.
• NuGet package updates (NLog 6.1.3, Microsoft.Extensions.* 10.0.7, etc.).
• Trim-warning cleanup: real fixes plus justified IL2104 / IL2026 suppressions for unfixable third-party / runtime-COM cases.
• Logging noise reduced — missing / empty config keys dropped from Warn to Debug.