Advance Notice: EDR Agents Release 23.4 Update – Wednesday May 15th

Posted on May 10, 2024 by carlagajdecki

We are pleased to announce that Wednesday, May 15th the Endpoint Detection and Response (EDR) product will be releasing updated Windows, macOS and Linux 23.4 Agents for the following consoles:

Consoles:

We strongly recommend upgrading to these agents as soon as possible to provide the maximum level of protection available.

New and improved in Windows 23.4 SP1 (23.4.4.223):

Please be advised: Windows Agent 22.3+ requires updated certificates. If the endpoint does not get Windows updates, you must install the certificate manually for the Agent to communicate with the Management Console. For more information, see Agent Requirements on Windows.

Rebootless Agent Installation (GA):

Rebootless Agent Installation lets you install the Windows Agent without the need to reboot your endpoint. When you install the Agent, all security capabilities are enabled even before the first reboot.

This new capability ensures business continuity in the production environment while enabling all the supported security capabilities of the Agent.

For Rebootless Agent Installation, SentinelOne has enhanced their monitoring capabilities on processes running before the Agent is installed. This might cause issues. If you have issues with Rebootless Agent Installation behavior after installation and before the first reboot, use this installation flag to disable Rebootless Agent Installation for fresh installations:

After the rebootless installation, the installer UI will not show a Reboot Required message, and the endpoint status in the Console will show No Pending Action instead of Pending Reboot.

Mitigate malicious macros in Office files:

You can enable the Agent to automatically remove malicious macros from infected files.

You can also manually mitigate Office files with macros:

  • Remove the malicious macro from the file without quarantining the file itself. This keeps the Office file intact and available for business continuity.
  • Quarantine the file without removing the macro.
  • Add the SHA1 value of the file to the Blocklist.
  • If the detection of a macro was a false positive, add the SHA1 value of the legitimate macro to the exclusions list and exclude the macro from being mitigated.

Driver Blocking:

You can now configure suspicious driver blocking settings in the Management Console. In earlier Agent versions, drivers are blocked from loading, and a threat is raised by the Static AI engine to the Management Console.

  • By default, Suspicious Driver Blocking blocks Windows signed and unsigned drivers, as well as other suspicious drivers.

• When a driver is blocked, a new Driver Blocked (Preemptive) Threat notification shows in the Threats page. No further Mitigation Actions are necessary.

A notification also shows in the Agent UI.

You can deselect driver types that are blocked, or turn off Suspicious Driver Blocking to only block drivers that you add to the Blocklist.

Improved mitigation for malicious .NET applications:
The .NET protection infrastructure of the Agent now applies to to all .NET processes. This infrastructure gives the Agent more visibility and mitigation capabilities against malicious .NET techniques exploited by .NET malware and tools.
This feature is in A/B testing in this version. There is a randomly-assigned 50% chance that the feature is enabled for an endpoint. To make sure it is enabled on your endpoints, use this configuration:


Add this Policy Override:

Or run this sentinelctl:

If you do not want to use this feature, disable it with this configuration:

  • Add this Policy Override:

Or run this sentinelctl:

LSASS write prevention:

LSASS-write prevention is a new security feature. It prevents unauthorized write access to the Local Security Authority Subsystem Service (LSASS). The LSASS-write prevention feature supports exclusions, meaning you can add an option to exclude certain processes from the write prevention.

The feature is enabled by default. To disable it:

  • Add this Policy Override:

• Or run this sentinelctl:

Where:

LSASS-write prevention only prevents third-party applications by default. You can configure the Agent to prevent all programs, including applications signed by Microsoft. To configure:

• Add this Policy Override:

Or run this sentinelctl:

File events counter:

Identical events that occur in a one-minute time frame are aggregated and sent every minute. The timestamp of the event is the first identical file operation that was made in this one-minute time frame. The Agent now sends the File Events counter to Deep Visibility™ and can be seen there. These file events are now consolidated:

  • File Modification
  • File Rename
  • File Creation
  • File Deletion

Downgrade support for disabled Agents:

You can now downgrade disabled Agents. This is supported when Agents were automatically disabled by SentinelOne or when you disabled Agents.

VSS management improvements

Check out the full Release Notes to learn more about how to Add the ability to configure an available VSS storage from UNBOUNDED, in case of an attack, to a configurable threshold (example, 90%). Or, how to add retention mechanism to VSS snapshots used by the Agent. You can define how long you want to keep SentinelOne snapshots available for rollback purposes as a remediation to a ransomware attack.

Detection Enhancements:

  • Detection of malicious Python scripts: SentinelOne added detection enhancements for malicious Python scripts.
  • Detection enhancements against Impacket: Impacket is a collection of Python classes for working with network protocols. Due to protocol implementation by Impacket, it is easy to use to evade detection and to use for persistence. New Behavioral Indicators were added to indicate the detection of Impacket.
  • Memory Scanner: The Memory Scanner is a new improvement in the detection capabilities of the Agent, enabling more reliable detections. The new improvement enhances the detection capabilities of the Agent by enabling efficient pattern searches of a running process using a YARA engine. This feature is enabled by default and is expected to have minimal impact on performance.

And More….

  • Please see the full Release Notes on N-able me for a long list of new AI detections, AI indicators  and visibility such as; LsassMemoryWriteBlockedAttempt which detects blocked LSASS write operations.
  • Safe Mode Protection: The Agent now blocks any process from booting into safe mode, except excluded ones.
  • Improved detection coverage of SharpHound.

New and improved in macOS 23.4 GA (23.4.1.7125):

Scan files and folders for threats with On-Demand Scan:

  • Right-click a file or folder and select Scan For Threats to trigger a threat scan.
  • Download the scan report CSV or log file to review detected malicious file paths.
  • Sentinelctl support for On-Demand Scan.
  • For more, see On-Demand Scan with the macOS Agent.

Improved response when MDM tools appear to initiate malicious processes:

To configure mitigation actions on these processes or prevent mitigation of the MDM tool, use this Policy Override:

Where int is:

And More….

  • Support for storage devices connected over Thunderbolt from Management Version Z SP1.
  • The Agent now collects IPv6 events for Deep Visibility™.
  • Enhanced Behavioral Indicator metadata format for events in Deep Visibility™.
  • Enhanced security in Device Control for USB devices.
  • Detection enhancements.
  • Bug fixes and improvements.

New and improved in Linux 23.4 GA (23.4.2.14):

Static AI Improvements:

  • Improved performance when scanning PE files
  • Reduced the number of false positives when scanning PDF files inside archive files.

CPU Performance Limits:

You can now set resource CPU usage limits. The sentinelctl command now supports Irix notation in addition to Solaris notation.

If the absolute CPU limit is set above the maximum CPU limit available on the machine, the CPU limit will not be set. If both the Irix and Solaris flags are used, the smaller of the two limits will be used, so long as it is a valid value.

sentinelctl resource cpu limit set –solaris <value> –irix <value>

Detection Enhancements:

  • StaticAI now supports malicious shell script (.sh) detection.
  • The mount_host_container_escape detection rule was improved to reduce False Positives.
  • New detection for systemctl commands that attempt to disable the Agent on systemd-based host machines. If a user tries to run sytemctl stop sentinelone.service, the command is refused and a suspicious alert is generated.
  • A new, silent rule (disarm_all_kprobes) detects if kprobes are disabled.
  • A new, silent rule (kerberos_ticket_extraction) detects any attempt to extract kerberos tickets by dumping a kerberos-related process memory by another process.
  • A new memory_dump event type was added. It uses the eBPF kprobe hook on the mem_read kernel function. The event is supported on all systems that support eBPF CORE, including containers.
  • A new, silent rule (memory_dump) detects any attempt to dump process memory by another process.
  • Active content for interactive bash and python sessions has an improved classification.
  • A new chroot event type was added to trace chroot calls. The event is supported only on systems that support security_path_* hooks.

And More….

  • The interval for sending Deep Visibility™ packets changed from one to three minutes, or every 1000 Deep Visibility™ events.
  • Deep Visibility™ Enhancements: Enriched the correlated metadata of the Behavioral Indicator Deep Visibility™ event from the binary integrity detection with the corrupted package name.
  • The Agent now enforces type-based mount exclusions at the kernel level when using eBPF hooks.
  • Behavioral Indicator events are aggregated into a single event and reported one time per minute.
  • File events are aggregated into a single event and reported one time per minute.
  • StaticAI-based detections will now be correlated with corresponding threat indicators in the threat overview page.
  • TCP connection events are now monitored with eBPF.
  • Apache web processes now create new storylines. This lets the Apache-related threats have smaller, more relevant storylines, and the Apache process itself is not mitigated (killed).
  • Check out the full Release Notes showcasing added support or x86 and ARM Agents such as Debian-12.2, Debian-12.1, RHEL 9.2, AlmaLinux 9.2 and more
  •  
This entry was posted in N-central, N-sight. Bookmark the permalink.