ADVANCE NOTICE: EDR “Olympus” SP4 and Agent Update Pre-Release Announcement

Posted on August 13, 2021 by carlagajdecki

We are pleased to announce that on Wednesday August 18th, 2021 Endpoint Detection and Response (EDR) product will be updated to SentinelOne’s “Olympus SP4” release. This release delivers significant enhancements to the management console, as well as updated version of the Windows, macOs and Linux agents. The new agents contain many enhancements and bug fixes, and we strongly recommend upgrading all agents in your environment as soon as possible to provide the maximum level of protection available.

Excited to share some of the highlights below and please be sure to read the full Release Notes and supporting documentation available here: https://success.n-able.com/edr-documentation/

Olympus SP4 includes:

Exclusion Enhancements

Unified Exclusion List

The Exclusions page now shows all exclusion types in one table. Previously you selected an exclusion type and only saw exclusions of that type in the table. This new view also allows you to easily filter to search across all exclusions. Take advantage of this new view to easily search for;

  • Exclusions categorized as Recommended/Not Recommended by S1
  • Performance focus and Performance Focus Extended exclusions which should only be added at the recommendation of support.

Export to CSV

Olympus brings users the ability to easily export Exclusions and Blacklists to a CSV File. This will allow users the ability to sort entries in Excel to find duplicates and analyze lists for different scopes. It can also be used to take regular snapshots for compliance needs.

Exclusion Ascendants/Descendants

The Exclusion page now allows you to show Ascendants/Descendants. From the highest scope you can now see all exclusions and blacklist items that you have in all lower scopes, in a top-down structure. For example, from an Account scope, see the exclusions and blacklist items for the Account, all sites and groups associated to the account in one sortable table.

Exclusion and Blacklist Validation

Now if you create an exclusion that SentinelOne defines as not safe, an error message shows “The exclusion is not allowed” or “The exclusion is not recommended”. Items are not allowed when they can harm the product or lead to unexpected functionality. Any items created that are not recommended will show with a red icon.

Microsoft Exchange Exclusions

SentinelOne will be removing their Microsoft Exchange exclusions from the Exclusion Catalogue. SentinelOne testing has yielded no known interoperability issues but SentinelOne has limited visibility on attempts taken with Microsoft Exchange’s known vulnerabilities. Please evaluate your existing Microsoft Exchange exclusions. SentinelOne is recommending that you remove existing exclusions for Microsoft Exchange Server to improve your security.

If you believe you are experiencing interoperability issues with Microsoft Exchange, please log a support case.

Time to Mitigate

A great way to highlight how fast your agent works is by checking out the new mitigation time displayed. This is now available in the expanded Threat Row information and the Forensic detail. What’s even better is the fact that EDR doesn’t display the times in seconds/minutes/hours but in seconds and MILLISECONDS!

Threat Enhancements

“Not” Filter or Endpoints and Threats

Users can now use a “not” filter with Endpoint and Threat filters to show endpoints and threats not equal to an item. Simply click the = sign to convert to exclude the value selected.

Easy Mobility for Similar Detections

Prior to Olympus multiple threat detections were not easy to view, it required expanding each threat line individually. Easily maneuver between 3 or more threats with the same hash by clicking the back and forward arrows without having to open a new page.  

Export Threat Improvements

Exporting threat details, now includes the originating process, if it is available indicating which process was the threat spawner.

But there is more!

  • Management console tables includes ability to sort/hide columns
  • Standalone users will now see the Scope icon used to open the Scope panel has been moved from the sidebar to the Scope breadcrumbs.
  • Standalone EDR will experience a behavior change for mitigation actions for Global, Multi-Account and Multi Site users. SentinelOne has unselected the option ‘Apply to all instances this threat was selected automatically’ to prevent unintended actions on different scopes. Starting in Olympus:
    • When a user of one Account our Site is logged in “Apply to all instances of this threat” is still selected by default.
    • When a Global, Multi-Account or Multi-Site user is logged in “Apply to all instances of this threat” is NOT selected.
  • Standalone EDR improved Activity Log detailing user login actions
  • Standalone EDR includes Threat List and Endpoint List table widgets
  • Standalone EDR includes the ability to create multiple dashboards

Latest Agent Updates

Starting with this release Agent versions will be named by month and year of GA. Agent version 5.0 will be Agent version 21.5.

Please be advised that fresh installs for Windows at this time will install the Windows Agent 4.6 and will automatically upgrade to 21.6 GA

SentinelOne agent versions included in this update are:

  • Windows agent 21.6 GA (21.6.2.272) 
  • macOS agent 4.3 SP2 (4.3.12.5390)
  • Linux agent 21.6 GA (21.6.3.7)

Windows Agent 21.6 GA (21.6.2.272) 

The Windows agent brings with it increased memory management, better CPU management and better supportability. The Windows agent offers the following enhancements:

  • Enhanced prevention of unsigned driver, with the ability to detect and block when an unsigned driver is loaded on an endpoint with Windows 7.
  • Enhanced ransomware detection, the agent drops files (Canary files) with open read/write permission, which  are used for detection purposes. These files are dropped under C:\, C:\Users, and shared folders.
  • Enhanced Static AI model; coverage and detection for executable files with improved false-positive ratio
  • On-demand scan feature is now enabled by default and includes the scanning for archived (zipped) files has been added.

Mac Agent Update

4.3. SP2 Mac Agent (4.3.12.5390)

Available for devices with operating systems below Catalina 10.15, this agent brings enhanced Behavioral AI detection of Silver Sparrow malware.

21.5 GA Mac Agent (21.5.3.5411)

Support for Disconnect from Network. This provides feature compatibility with macOS Agents 4.3 and earlier versions. When in Disconnect from Network state, the Agent blocks all external network connections and allows only SentinelOne Management Console and SentinelOne Cloud network connections. Remote Shell connections work between the Management Console and an Agent while in Network Quarantine state.

Linux Agent 21.6 GA (21.6.3.7)

Linux Agent 21.6 GA brings in the following enhancements:

  • Improved Static AI for PDF detection
  • Enhanced implementation of path exclusions in Performance & Performance Extended modes to reduce performance improvements
  • Support for OpenShift 4.7
  • Support for apt in DEB agent package install/uninstall & upgrade
  • Support or Oracle Linux 8.3
  • Support or Oracle 8.4

The console update and agent release are scheduled for completion within an eight-hour maintenance window and will begin onWednesday, August 18th at 10 am IDT / 7 am UTC / 3 am EDT.  A few important things to note during this time:

  • All endpoints will continue to be protected.
  • EDR management console login and API access may be unavailable.

We are excited to provide these new features to customers, as well as evangelize them with prospects. One final reminder don’t forget to check out the full Release Notes at  https://success.n-able.com/edr-documentation/

As always, feedback is welcome on the release.

This entry was posted in N-central. Bookmark the permalink.