Advance Notice: EDR Mac and Linux Agent Update to 23.1 GA

Posted on July 5, 2023 by carlagajdecki

We are pleased to announce that Monday, July 10, the Endpoint Detection and Response (EDR) product will be releasing new agents for both Mac and Linux. The Mac agent will see an update to 23.1 GA (23.1.3.6816) and the Linux agent will see an update to 23.1 GA (23.1.2.9). We strongly recommend upgrading these agents as soon as possible to provide the maximum level of protection available.

New and improved in Mac 23.1 GA (23.1.3.6816):

Network Quarantine

The 23.1 GA Mac Agent now offers support for Configurable Network Quarantine.  You can now configure rules to allow specific network traffic to and from endpoints that are isolated from the Network.

Notification Enhancements

Easier navigation to the macOS permissions settings. If the Agent is missing permissions, you can open the System Preferences window by clicking the Agent notifications.

And More….

  • Added support for macOS Sonoma 14.x Beta testing – You can now install the Agent on the macOS Sonoma Beta versions. SentinelOne does not guarantee a production-grade Agent for the macOS Beta versions. Use this Agent for testing purposes only. It is not recommended to test macOS Sonoma on production environments
  • Improved detections, mitigation, and exclusions for processes that executed with interpreters such as osascript, bash, python, perl, and ruby.
  • Enhanced Firewall Control FQDN rules enforcement.
  • General bug fixes and improvements

For the full list of Bug Fixes please see the Release Notes link below

New and improved in Linux 23.1 GA (23.1.2.9):

Single Agent for commercial and FIPS-compliant environments

Starting from Linux Agent 23.1 GA, there are no separate agent packages and binaries for using the Agent in commercial vs. FIPS-compliant environments. Instead, the same Agent can be deployed in both types of environments and configured to run in FIPS-compliant mode where required.

Note: The Agent must be restarted after FIPS mode is enabled.

  • To enable FIPS mode: Run sentinelctl fips enable|disabled|status to enable, disable, and show the status of FIPS mode. Policy override options: {“fips_enabled”: true | false (default)}
  • Installation Enhancements: Added a new environmental variable S1_AGENT_FIPS_ENABLED to the available Agent installation configuration variables used in: Deploying the Linux Agent with a Configuration File.

If true, it will enable FIPS mode for the Agent.

If set to false, it can be enabled with sentinelctl fips enable.

Detection Enhancements

The 23.1 GA Linux agent brings in the following Detection enhancements:

  • Execution of obfuscated executables packed by UPX – Alert is generated when a process is changing the protection mode of a chunk of its own memory to Execute.
  • New detection of cross-platform mythic Medusa agent startup and payload execution (python-based framework and payloads).
  • Improved detection of shell history evasion and system logs cleaning.
  • The Static AI model has enhanced detection.
  • These logics were updated from silent to suspicious and will generate a threat:
    • web_shell
    • network_shell
    • execute_from_memfd
    • ransomware_dynamic_encryption_utility
    • post_exploitation_execution
    • crypto_miner_execution
    • pkexec_pe
    • suspicious_cron_activity

Performance Enhancements

To decrease inter-process communication and improve performance, the Agent now uses fewer processes to support its functionality. The s1-perf and s1-fanotify processes are no longer running as part of the Agent. Their functionality has been merged in to the s1-agent process.

As part of this change, these log files were updated:

  • perf.log and fanotify.log are no longer generated by the Agent
  • providers.log is replacing perf.log. It is a new log file that captures log messages related to the collection of operating system telemetry events by the Agent.
  • old_logs.tar.gz – During an upgrade, the Agent compresses previous log files and stores them in this file. This is a one-time action.

The Perf event optimization feature was removed from the Agent configuration. Settings with perf_event-optimization in use will be ignored. We recommend you use exclusions and the memory, CPU, and queue capping features to manage performance.

And more..

  • Support added for x86 and ARM Agents: Amazon Linux 2023

For the full list of Bug Fixes please see the Release Notes link below

For full details on all updates please check out our Release Notes: https://success.n-able.com/nc-edr-documentation/

This entry was posted in N-central, N-sight. Bookmark the permalink.