Advance Notice: EDR Mac and Linux Agent Update to 22.3

We are pleased to announce that Monday, January 9, the Endpoint Detection and Response (EDR) product will be releasing new agents for both Mac and Linux. The Mac agent will see an update to 22.3 GA ( and the Linux agent will see an update to 22.3 GA ( We strongly recommend upgrading these agents as soon as possible to provide the maximum level of protection available.

New and improved in Mac 22.3 GA (

Disable Agent Action is now supported on macOS

You can disable Agents manually, for troubleshooting. When you disable an Agent, you can identify interoperability issues related to the Agent without uninstalling the Agent. Disable or enable one or multiple Agents from the Management Console.

Communication is maintained between the Agent and the Management even if the Agent is disabled.

On a disabled Agent, many capabilities are turned off, including detection, protection, Device Control, and Firewall Control. With a disabled Agent, you can perform diagnostic actions and management-side actions.

New Granular Performance Focus Exclusions

This version supports Granular Performance Focus Exclusion for Static AI and File operations. Use Granular Performance Focus Exclusions to select a specific Engine, or Agent capability, to exclude from Path monitoring.

Additional Engines and Agent capabilities will be supported in future releases.

Example: To resolve performance issues caused by static on-write scanning, use Granular Performance Focus Exclusions to exclude only the Static AI Engine. All other Engines and capabilities will continue to run, including Cloud intelligence, Behavioral AI, and Deep Visibility.

And much more….

  • Improved Agent performance when installing OS upgrades
  • Detection Improvements:
    • Enhanced macOS Behavioral Indicators – The Agent now shows more behavioral indicators in the Forensic details.
    • Improved detection capabilities
  • Improved the Agent performance when files are opened by processes on the endpoint
  • Improved Agent performance for processes with a large number of arguments
  • Improved cache entries memory utilization
  • Enhanced the SentinelOne Agent file permissions
  • General bug fixes and improvements

For the full list of Bug Fixes please see the Release Notes link below

New and improved in Linux 22.3 GA (

Memory Capping Enhancements

Agent memory limits are now enabled by default for systems with more than 500GB of memory. The default memory capping for those systems will be set to 5GB.

Performance Enhancements

22.3 Agent now offers optimized operating system events – chdir and fchdir events are now processed in the s1-perf process only and not sent to the s1-agent process.

Fork and exit events are now excluded in Performance Focus – extended exclusions.

Detection Enhancements

  • Cryptominer Activity – Detection of configuration and preparation activities run before starting the mining.
  •  – Alert on suspicious attempts to perform a local privilege escalation that uses a SUID binary exploit.
  • The ransomware_markers and ransomware_dynamic detectors are now suspicious by default, instead of silent, and will generate a threat.
  • The mount_host_container_escape and pyinstaller detectors have moved from Silent Threat to Behavioral Indicators.
  • The Static AI model has enhanced detection.

New eBPF Improvements

To further improve Agent performance, we are using the Extended Berkeley Packet Filter (eBPF) to collect operating system telemetry events (where the OS supports it). eBPF features are gradually added over future Agent releases.

These are the eBPF features of this Agent release:

  • Execv event improvements to provide richer context of the process and mount events.
  • Added eBPF configuration per event and added the ability to configure eBPF hooks for each event with Policy Override.

The sentinelctl providers status command now shows detailed information about the configuration of events on the Linux system, including event status and effective event origin.

And More…..

  • Support added for x86 Agents: RockyLinux 9.0, OracleLinux 9.0
  • Local upgrades with sentinelctl control upgrade no longer require a passphrase.

For the full list of Bug Fixes please see the Release Notes link below

For full details on all updates please check out our Release Notes:

This entry was posted in N-central, N-sight. Bookmark the permalink.