ADVANCE NOTICE: EDR “North Pole” SP1 and Agent Update Pre-Release Announcement

We are pleased to announce that on Wednesday April 21, 2021 Endpoint Detection and Response (EDR) product will be updated to SentinelOne’s “North Pole SP1” release. This release delivers significant enhancements to the management console, as well as updated version of the Windows, macOs and Linux agents. 

The Management Console release and the new agents contain many usability enhancements and bug fixes, and we strongly recommend upgrading all agents in your environment as soon as possible to provide the maximum level of protection available.

Excited to share some of the highlights below and please be sure to read the full Release Notes and supporting documentation available here:

North Pole SP 1 includes:

New Management Console Look and Feel

The Management Console is updated with a new Singularity theme. The updated visual theme includes:

  • Improved accessibility and readability.
  • Consistent color palette and standardized text styles.
  • Design improvements for clarity and consistency.

New Expanding Threat Row

In Incidents > Threats you can now expand a row to see the basic Forensic details and take mitigation action directly from the row.   

For easier navigation, in tables in the Management Console, the checkbox column is automatically frozen when you scroll right.

But there is more!

  • Improved experience for those using standalone EDR for selecting packages with added information available to ensure the right package is selected for install and upgrades. This also comes with expanded related notifications.
  • Standalone EDR offers new customizable Role Based Access Control (RBAC)
  • Standalone EDR will see improved User Login security for Management Console Users. The Console will require authentication before it applies changes that Console users make to their own user accounts.
  • Standalone users can now configure Email and Syslog Notifications for Group Administration activities in Settings > Notifications > Operations.
  • Standalone EDR offers the ability to export activity from the Activity Page

Latest Agent Updates

SentinelOne agent versions included in this update are:

  • Windows agent 4.6 SP3 ( 
  • macOS agent 4.3 SP1 (
  • macOS agent 4.7 GA ( 
  • Linux agent 4.6 SP1 (

Windows Agent Update 4.6 SP3 (

Prevent unsigned driver loading enhancements

By default, Windows does not allow loading test-signed kernel-mode drivers, by disabling TESTSIGNING mode in the Windows boot configuration. Starting this Agent version, EDR blocks the OS from entering into TESTSIGNING mode, to disallow malicious actors from changing the Windows default configuration and loading untrusted drivers. If you have a legitimate need to use the endpoint in TESTSIGNING mode, you can allow it by setting bcdProtectionConfiguration.testSigningProtection to false.

Either run this sentinelctl command:

sentinelctl config bcdProtectionConfiguration.testSigningProtection false -k “passphrase”

or add this Policy Override:


  “bcdProtectionConfiguration”: {

    “testSigningProtection”: false



For more details about test-signed driver use, see

Mac Agent Update

4.3. SP1 Mac Agent (

Available for devices with operating systems below Catalina 10.15, 4.3 SP1 offers general bug fixes and improvements.

4.7 GA Mac Agent (4.710.4767)

Available for devices with operating systems Catalina 10.15 and above (including Big Sur) will see the 4.7 GA agent bringing in static AI security improvements and performance improvements on heavy load operations.

Linux Agent 4.6 SP1 Update (

Linux Agent 4.6 SP1 offers an enhanced status report with the noisiest binaries, bringing visibility into which binaries caused the most events. Run sentinelctl report {summary | full} to get the status report. The output shows the new Top Binaries in the Most Common Paths section.

The Static AI engine brings with it fewer False Positives.

Support has been added for CentOS 7.

Linux Improved detectors for Behavioral AI

  • Known process-listers
  • Process command-lines that with a hash-like string
  • PID namespace container
  • Macos evation
  • SSH new key
  • cgroup release Agent container

Linux Improved detectors

  • Execute from FD process
  • Remote file copy
  • Python base64
  • libc interceptor
  • Mount host container escape

The console update and agent release are scheduled for completion within an eight-hour maintenance window and will begin on Wednesday, April 21st at 10 am IDT / 7 am UTC / 3 am EDT.  A few important things to note during this time:

  • All endpoints will continue to be protected.
  • EDR management console login and API access may be unavailable.

We are excited to provide these new features to customers, as well as evangelize them with prospects.

As always, feedback is welcome on the release.

This entry was posted in N-sight. Bookmark the permalink.