We are pleased to announce that Thursday, August 25, the Endpoint Detection and Response (EDR) product will be releasing a new agent for Windows. The Windows agent will see an update to 22.1 SP1 (22.1.4.10010). We strongly recommend upgrading as soon as possible to provide the maximum level of protection available.

New and improved in Windows 22.1 SP1 (22.1.4.10010):

Rebootless Installation

In Windows Agent version 22.1 SP1 SentinelOne introduced a significant step towards Rebootless Agent installation. In 22.1 SP1 most Agent functionality is operational after installation, even if you do not reboot the endpoint. This includes Static detection, all Agent actions, and all response functions.

The main capability that continues to require a reboot is Behavioral AI detection and mitigation. This is planned to be supported in a future version.

For full details on Rebootless Installation please see the Release Notes linked below

Automatic Recovery from Agent Database Errors

Introducing the new database corruption auto-recovery mode. The Agent automatically recovers from database errors and major Agent functionalities are enabled except for Behavioral AI detection.

Graceful Termination for MSI Installer

If you set automation for an installation or upgrade policy with the Windows Agent MSI installer package, the installation or upgrade ends with a return code for success or failure.

If the action ended in failure, the MSI installer ends gracefully. It removes added files and reverts changes to the endpoint. On an installation failure, the MSI installer leaves a clean endpoint.

Public Cloud Metadata Reporting

The Management Console shows cloud metadata when the Agent is installed on Windows Servers running on cloud providers AWS, Azure, or GCP. This data is in the Endpoints page and in the Endpoint Details window.

Improved Detections

• Direct System Calls Detection

In Windows Agent 22.1 SP1 SentinelOne introduce a new and advanced capability to detect Direct Syscalls attack techniques.

• Invoke-AtomicRedTeam Detection

Added detection and visibility for the use of Red Canary Invoke-AtomicRedTeam attack simulation framework.

• Golden SAML Detection

Added detections and visibility for Golden SAML attack, originated from SentinelOne protected ADFS server.

• Improved Lateral Movement IP Detection

Remote IP address of Lateral Movement activity performed over Named Pipes (for example, by PsExec) will now be reported in the Incident page.

• More Improved Detections
  • Added Suspicious detection for the use of InfoStealer. Behavioral indicator: Multiple Infostealers.
  • Extended detection for the Rubeus toolset and other Kerberoasting techniques.
  • Improved detection for local privilege escalation.
  • Improved detection for Cobalt Strike, with enhancements for PowerShell payload.
  • New Behavioral AI logics, false-positive reduction.

More Improvements and Enhancements

• Performance optimizations around event monitoring (mainly Remote procedure calls) to reduce CPI and network utilization impact in heavy load scenarios.
• Improved the Documents, Scripts Detection engine. Previously, any threat by this engine triggered AI Confidence Level: SUSPICIOUS. Now documents this engine detects with high confidence as malicious trigger the threat AI Confidence Level: MALICIOUS.

If in the policy Malicious is set to Protect and Suspicious is set to Detect, the Agent automatically mitigates these threats.

• Updated Device Control log events in the Windows Agent Event Log.
• Update the icon for the Agent UI.

For the full list of Bug Fixes please see the Release Notes link below

For full details on all updates please check out our Release Notes: https://success.n-able.com/nc-edr-documentation/