We are pleased to announce that Wednesday, September 6, the Endpoint Detection and Response (EDR) product will be releasing a new Windows agent. The Windows agent will see an update to 23.1 GA (23.1.4.650). We strongly recommend upgrading these agents as soon as possible to provide the maximum level of protection available.

Read more: Advance Notice: EDR Windows 23.1GA Update

New and improved in Windows 23.1 GA (23.1.4.650):

Please be advised:  The old Windows installation package (SentinelInstaller.exe) is no longer supported and will not be supplied. Instead, use the new installation package (SentinelOneInstaller.exe). For more details, review related EDR Documentation – “Installing Windows Agent 22.1+ with the New Installation Package”.

UWF Support:

• About UWF:

Unified Write Filter (UWF) is an optional Windows feature that safeguards Windows-based devices by redirecting all writes (app installations, setting changes, saved data) to a virtual overlay. The virtual overlay location is typically cleared upon reboot or guest user log off. UWF provides a clean user experience for thin clients and shared workspaces, such as schools, libraries, and hotel computers. It enhances security and reliability for kiosks, IoT-embedded devices, and similar devices that do not require frequent addition of new apps. Agents installed on an endpoints with UWF requires a specific setup.

• UWF Support:

Starting with Windows Agent 22.3 GA, we support Windows UWF (Unified Write Filter) configuration. Earlier Agent versions had a more limited support of UWF configuration for selected customers. Now, UWF support is generally available. If you installed an older Agent version on an endpoint with a UWF configuration, you can now upgrade to this version for official UWF support.

• Supported OSs:
• Windows 10/11 Enterprise (and IoT)
• Windows 10/11 IoT Enterprise
• Windows 10 Enterprise LTSC (and IoT)
• Windows 10 IoT Core

Automatic scan of connected external devices

The Agent can automatically scan files on an external storage device when it connects and is identified as a volume on the endpoint. Malicious and suspicious files will raise threats and the Agent will automatically mitigate them according to the Detection policy. Other device types that are storage devices, but not volumes, will not be supported, for example:

• Digital cameras
• Mobile Phones

The scan status and progress is displayed in the Agent UI (as on-demand-scan) and in the Activity log page in the Management Console. You can cancel the scan from the Agent UI. The start and stop scan actions are also captured in the Windows Event Log.

Limitation: When scanning a read-only mounted volume, you cannot quarantine the files there.

This feature is disabled by default. To enable, either add this Policy Override:

Or run this sentinelctl command:

To see the scan status and progress in the Agent UI, either add this Policy Override:

Or run this sentinelctl command:

Detection Enhancements

SentinelOne has added coverage for MITRE 1564.001 (Hide Artifacts: Hidden Files and Directories). SentinelOne has also enabled new behaviors to detect these issues:

And More….

• Resolved an issue related to the MS Windows Security Updates for April, which might impact Windows 10 and Windows 11 devices running SentinelOne. The Microsoft Windows April Security Update introduced additional information to the Feature Flag functionality which impacted the ability of the SentinelOne Agent to detect audit policy changes. After applying one of the MS Windows security patches (KB5025221, KB5025239, KB5025224), the Agent was unable to detect changes to the audit policy if the default audit policy was changed. This caused the Agent to not be able to make the necessary corrections to re-enable audit policies required for the Agent to fully function.
• Resolved False Positive detections from the Behavior AI engine on Microsoft Windows processes.