ADVANCED NOTICE: EDR Windows and Mac Agent Updates coming Wednesday Dec 15th

We are pleased to announce that Wednesday, December 15 the Endpoint Detection and Response (EDR) product will be releasing new agents for both Windows and Mac. The Windows agent will see an update to 21.7 GA ( and the Mac agent will see an update to 21.7 SP1 ( We strongly recommend upgrading these agents as soon as possible to provide the maximum level of protection available.

New and improved in Windows 21.7 GA (

New Agent UI

With a fresh look and feel and more features, SentinelOne’s new UI gives you better visibility of your endpoint security status and improves the interaction between you and your organization’s security team and the end-users.

What’s new?

  • Unified look and feel for Windows and macOS Agents
  • Simplified end-user experience
  • Enriched Threat and Mitigation information
  • History of Quarantined files
  • Use of native operating system notifications
  • Agent details displayed in the UI to ease remote troubleshooting
  • Customized support contact information. Know who to contact in case of an Agent-related question.
  • Warning in case of a critical Agent functional issue or Protection state.

Automatically Prevent Disconnection of Non-Functional Agents

Before this release, Agent errors sometimes led to a non-functional Agent being disconnected from the Management Console. While Agent functionality was disabled, there was no option to communicate (for example, uninstall, upgrade, restart, investigate logs) with the Agent from the Management Console.

In this version, we introduce the first release of Agent auto-recovery.

  • If there are common database errors, the Agent disables its database. As a result, the majority of Agent functionality is disabled until the endpoint is rebooted.
  • If there are common repeating errors causing the Agent to not function, the Agent is automatically disabled.

In both cases, the Agent maintains connectivity to the Management console.

These cases will be shown as new Operational States in the Management Console in Management release Petra GA.

New operation states, introduced in Management version Petra GA, show when SentinelOne automatically disables Agents and when there is a database crash that requires a reboot.

The Operation States are in the Sentinels page, the Endpoints Details window, and the output of the sentinelctl status command. These states are relevant only for Windows Agents.

Operational State Values in Sentinels Page Filters

New Operational States:

  • Disabled by SentinelOne: The Agent is completely disabled by SentinelOne due to an unexpected error. The Agent is unprotected. Contact Support. When the issue is resolved, you can enable the Agent.
  • Disabled by SentinelOne and not rebooted: The Agent is disabled by SentinelOne due to an unexpected error. The Agent is not protected. Reboot the endpoint to completely disable the Agent. Contact Support. When the issue is resolved, you can enable the Agent.
  • Limited functionality: Agent database corrupted: Major Agent functionalities are disabled by SentinelOne due to database corruption. Reboot the endpoint to resolve the database issue. If the issue persists after reboot, contact Support.

Firewall Logging Enhancements

Added to Firewall logging of the Windows Event viewer: IP Protocol Number, Local IP Address, and Local Port automatically with no additional configuration.

Upload Signed Binary Files

The Agent can automatically upload signed binary files from your environment to the SentinelOne Cloud. This requires Binary Vault. Binary Vault lets you automatically upload executable files in your environment to SentinelOne Cloud storage. You can then download files on demand, for example, to run forensic analysis locally or with a third-party sandbox or analysis tool. Binary Vault is disabled by default.

Binary Vault improvements: Threats that are executed and then identified by the Agent from the Static AI Engine are now also uploaded

And yet that’s not all….

  • An Agent can be locally upgraded when in Disable mode.
  • New Behavioral Indicator for MITRE: T1558.003 (Steal or Forge Kerberos Tickets: Kerberoasting).
  • Early detection of the use of CobaltStrike and other attack frameworks.

For the full list of Bug Fixes please see the Release Notes link below

New and improved in Mac 21.7 SP1 (

Added Support for macOS Monterey 12.0 – macOS Agent versions 21.5 SP1 and 21.7 SP1 have been tested and verified on macOS Monterey 12.0. Do not upgrade your endpoints until you have a supported SentinelOne Agent. see macOS Agent Upgrade Playbook – macOS Monterey

For the full list of Bug Fixes please see the Release Notes link below

For full details on all updates please check out our Release Notes:

This entry was posted in N-central. Bookmark the permalink.