ADVANCE NOTICE: EDR Windows Agent Update Tuesday, December 13

Posted on December 12, 2022 by carlagajdecki

SentinelOne is advising all EDR users to update as soon as possible. They are recommending users to upgrade all Windows agents to 22.1 SP2 at minimum, released by N-able last week (see N-able post for 22.1 SP2 release on December 5).

To take advantage of new protection enhancements, we are now releasing Windows Agent 22.2 SP1 on Tuesday December 13th (22.2.4.558). A description of the new critical enhancements is detailed below.  

Protection Enhancements:

•            Mitigation for a theorized Windows agent vulnerability that could allow non-privileged users to delete or quarantine arbitrary files, which advanced threat actors could leverage to cause a denial of service (DOS) to applications or operating systems. (Note: SentinelOne and system files are protected from the vulnerability, but other files can still be deleted. The complete fix is disabled by default. SentinelOne will enable the complete fix on the subsequent releases of versions 22.1 and 22.2.)

  • To enable the complete fix on partially-fixed versions, set this Policy Override:
  • {“monitorConfig”: {“moveOnNextBootByFileId”: true}}

•            Improved security against known anti-EDR techniques.

•            Enhanced detection for ransomware that leverages signed known and verified Microsoft processes.

To review your agent versions Integrated EDR users should direct to your EDR Dashboard, and Standalone EDR users should direct to your Sentinels Endpoints tab.

We strongly recommend upgrading as soon as possible to provide the maximum level of protection available.

New and improved in Windows 22.2 SP1 (22.2.4.558):

Wildcards in Network Control Rules

There is new support for wildcards in Firewall and Configurable Network Quarantine Rules. From Windows Agent version 22.2+, you can use wildcards in the FQDN remote host name. This lets you block or allow traffic to an entire domain, or a specific URL in a domain rather than an explicit host (FQDN) inside the Domain.

Filter Endpoints by Their Serial Number

You can filter endpoints on the Sentinels > Endpoints page by their serial number. This feature is supported for Windows, macOS, and Storage Agent endpoints. Note for Windows endpoints, the Serial Number is the endpoint SMBIOS number. The Serial number is also added now to the Endpoint Details.

Security Enhancement #1

We improved our security against known anti-EDR techniques. In this version, security measures are taken to prevent the loading of Process Explorer (procexp) and sysdiag which are powerful kernel drivers known to be used by malicious groups.

Use Policy Override to disable blocked signed drivers if you must use them:

Security Enhancement #2

We improved our security against known anti-EDR techniques. In this version, security measures are taken to prevent non-privileged users delete or quarantine arbitrary files (Data Deletion), potentially causing a denial of service (DOS) to applications or operating systems.

Windows 11 22H2

This Agent version is supported on Windows 11 22H2. Upgrade to a supported Agent version before you upgrade the OS to 22H2.

Detection Enhancements

  • Raspberry Robin Detection Infrastructure – Added detection and visibility for Raspberry Robin malware. Please review the Release notes for the full list of Raspberry Robin Behavioral Indicators. This detection capability is suppressed by default. To enable detection, use Policy Override :

QakBot Detection Infrastructure – Added detection and visibility for QakBot (also known as QBot and QuakBot) malware. Please review the Release notes for the full list of QakBot Indicators. This detection capability is suppressed by default. To enable detection, use Policy Override :

And much more…

  • You no longer need to provide a passphrase to uninstall the Agent that was installed with an MSI installer.
  • A problem was found when ransomware decoy files were used on shared folders, where the OneDrive sync did not work properly. Ransomware decoy files are no longer deployed on shared folders by default.
  • WebShell Detection Infrastructure on Apache Servers – New detection infrastructure was added to the Agent to identify the use of WebShell on Apache servers. This detection infrastructure is enabled by default.
  • WebShell Detection Infrastructure on IIS Servers– New detection infrastructure was added to the Agent to identify the use of WebShell on IIS servers. This detection infrastructure is disabled by default. When enabled, the Agent sends Deep Visibility events when a WebShell attempt is detected.
  • Added coverage for detecting Follina (CVE-2022-30190).
  • Dynamic AI detection enhancements
  • Improved interoperability of SentinelOne EDR and Singularity Identity (formally Attivo) Agents.
  • The Agent now blocks the use of Pertry.sys driver commonly used by attack frameworks.

For the full list of Bug Fixes please see the Release Notes link below

For full details on all updates please check out our Release Notes: https://success.n-able.com/nc-edr-documentation/

This entry was posted in N-sight. Bookmark the permalink.