We are pleased to announce that on Wednesday, February 10th, 2021, the SolarWinds Endpoint Detection and Response (EDR) product will be updated to the SentinelOne “Machu Picchu SP4” release. This release delivers significant enhancements to the management console, as well as updated version of the Windows, macOS and Linux agent.
The Management Console release and the new agents contain many usability enhancements and bug fixes, and we strongly recommend upgrading all agents in your environment as soon as possible to provide the maximum level of protection available.
Manchu Picchu SP4 includes:
Preview Blacklist & Exclusion
The ability to preview Blacklist and Exclusions can have a big impact on your environment. If mistakes are made, the unintended consequences can waste a lot of time and resources. No longer worry about lost productivity for accidentally adding needed applications on the blacklist, or concerns that the exclusion is too broad and may incur malware. You can now preview a Blacklist or Exclusion entry before they are set, easily seeing what will be suppressed/detected based on the last 7 days.
Upgrade Agents according to your schedule
You can set a schedule in the new Upgrades tab to automatically upgrade Agents based on preset maintenance windows that work for you and your customers. Combine Maintenance Windows with Maximum Concurrent Downloads (released in Liberty SP5) to create a complete Upgrade Policy.
This feature can be set using the new ‘Upgrade Tab’ or directly to an individual endpoint point action ‘Update Agent’.
One of the basic mitigation actions for an infected endpoint is to disconnect it from the network using Network Quarantine. This makes sure that a threat cannot attack other endpoints or communicate with the external network from the infected endpoint.
Looking for a way to do your own forensic analysis on a device in Network Quarantine? Looking for a way to respond to incidents? Network Quarantine includes the ability to configure rules to allow specific network traffic. For example, allow remote access from a specific IP addresses to the infected endpoint to troubleshoot or investigate. You can also allow the endpoints to send data to a specific server.
Reload an Agent remotely without a reboot
Avoid disrupting the end user by reloading an agent remotely without a reboot right from the Management Console. Reloading the Agent will restart the Agent services and the memory that the Agent is allocating is released. Currently available for Windows.
Many exclusions in the catalog were written to work with C drive in the DOS path and started with C:\. This has now been changed to \Device\HarddiskVolume*\ to work with any drive. If your environment does not use the C drive, make sure to adjust all exclusions that were already added from the Exclusions Catalog. Exclusions that were already added from the catalog are not updated dynamically.
Exclusions: Environment Variables
Exclusions for Windows agents can now include non-customizable environment variables in Path exclusions. Using environment variables makes it easier for entering exclusions, reduces the number of exclusions and makes the Exclusions catalog more maintainable. A predefined list of supported environment variables is below.
New Blacklist improvements for safer workflows
As part of our continued efforts to improve the safety of blacklist and exclusion workflows, users are now prevented from adding some specific hashes to the blacklist. This is to make sure you do not accidentally impact SentinelOne’s detection capabilities in your environment and do not harm your endpoints.
But there is more!
- Easily reference the last time the endpoint was rebooted with the addition of ‘Last Reboot Time’ available in Endpoint details.
- The ability to unquarantine a threat can happen quickly, no longer do you have to wait for a threat to be fully quarantined
- SentinelOne Engine Name changes: DFI Engine is now Static AI, and DBT Engine is now Behavioral AI
- Blacklist icon has been updated making it easier to distinguish from exclusions.
- Exclusion Catalog additions: New exclusions for Varonis./New exclusions for SolidWorks
- Threat Mitigation Status Report now shows the number of files not found for mitigation.
- For Firewall rules with Remote Hosts, until this version the maximum was 30 FQDN Remote Hosts per rule and 50 per scope. Now you can use 50 Remote Hosts in a rule, which meets the limit of 50 per scope.
Latest Agent Updates
SentinelOne agent versions included in this update are:
Windows agent 4.6 SP1 (18.104.22.168) macOS agent 4.6 GA (22.214.171.12473) Linux agent 4.5 GA (126.96.36.199)
Windows Agent Update
Agent Activity Analyzer
Looking to troubleshoot interoperability issues between the EDR Agent and other off-the-shelf or custom applications which translate to high Agent CPU utilization? Then check out the Agent Activity Analyzer currently offered for Windows agents making it easier to identify potential points of failure. Through the management console you can using ‘Fetch Logs’ retrieve Agent logs and pull in information from the last various time frames. You can also use the Sentinelctl command to retrieve a summary of all Agent activity. Both options allow you to pull together information such as: Agent start and end times, start and stop events, % time on a process, CPU measurements and more. This information can then be used to make very accurate exclusions that will allow business continuity with minimal security impact. Heads up, if you change any configuration values in this feature you must reload the Agent for the changes to be applied.
*Please note there are some processes even if they exhibit high CPU that you must not exclude such as browsers, Microsoft Office, for those contact help for more information
MacOS Agent Update
4.6 Mac Agent is supported on macOS Big Sur (10.16,11.0 and 11.1) and Catalina (10.15) * Please review your system requirements*
This agent requires a different set of OS permissions than previous Agents. Changes are required for Full Disk Access and Authorizing Network Extensions. These system changes for SentinelOne apps needs to take place. If Full Disk Access has not been provided the Agent cannot scan files, and without access to Network Extensions the Agent may not be able to communicate with the console. These changes ensure that the applications are installed in a secure way. It limits installation only to applications that are approved by Apple and the user.
Big Sur Support Added
SentinelOne adapted their macOS Agent to comply with Apple’s decision to deprecate support for Kernel Extension in macOS Big Sur 11.x. Support has now been added for 10.16, 11.0 and 11.1. SentinelOne is still working hard on determining how best to bring in Big Sur for Device Control, Firewall and Network Quarantine but currently these features remain unsupported. After upgrading to Agent 4.6 these features will stop working even if they are enabled in the Management console.
Linux Agent Update
- Support for CentOS 7.9 & 8.2/ RHEL 7.9 & 8.3
- Support for Oracle Linux 8.2
- Support for Ubuntu 18.04.5, 18.04.7, 20.04.1
- Active Content: Support for Python and Shell scripts
- Ability to run Status reports > “Top Noisy Binaries”
- Active Content: Update Hash exclusions/Path exclusions based on command
- Support for Configurable Network Quarantine
The console update and agent release are scheduled for completion within an eight-hour maintenance window and will begin on Wednesday, February at 10 am IDT / 7 am UTC / 3 am EDT. A few important things to note during this time:
- All endpoints will continue to be protected.
- EDR management console login and API access may be unavailable.
We are excited to provide these new features to customers, as well as evangelize them with prospects. For the full release details click here.
As always, feedback is welcome on the release.