Advance Notice: EDR Agents Release 24.2 GA (macOS & Linux) Update – October 2nd

Posted on September 27, 2024 by carlagajdecki

We are pleased to announce that Wednesday October 2nd the Endpoint Detection and Response (EDR) product will be releasing updated macOS and Linux 24.2 Agents for the following consoles:

Consoles:

We strongly recommend upgrading to these agents as soon as possible to provide the maximum level of protection available. If you are using Automation Manager Policies (AMP) please be sure to update those to the latest available agent.

New and improved in Mac 24.2 GA (24.2.2.7632):

Important:

  • Support for Sequoia (OS Version 15.0) is available in 24.2.2 agent version.
  • Due to macOS system changes to the permissions authorization mechanism introduced in macOS Sequoia 15, when a process tries to access local network resources, the system will ask the user to allow “sentineld” to access local networks. This must be allowed so that the SentinelOne Agent can fully protect the endpoint. Currently, Apple does not provide any method to pre-approve these requests using MDM. A monthly reminder will populate based on this, please see Release Notes for full details.
  • In some cases, due to macOS system changes in macOS Sequoia 15, SSH connection drops may occur. If you identify this behavior in your organization, please reach out to SentinelOne support for deeper investigation.
  • To use Device Control for Bluetooth devices with macOS Sonoma, give Bluetooth permission to the sentinel_helper application. Setting Bluetooth permissions with MDM profile is not supported by Apple.
  • Apple changes introduced in macOS Sonoma 14.4 and 14.4.1 can prevent the system notification that Full Disk Access has not been authorized for SentinelOne. If you are running macOS Sonoma 14.4 or 14.4.1 and have not authorized Full Disk Access for SentinelOne, you can upgrade to macOS Agent 24.1.2+ or macOS Sonoma 14.5 to enable the notification or you can authorize Full Disk Access for SentinelOne.

Network Quarantine:

With macOS 24.2 Network Quarantine hardening is now automatically enabled. By Default:

  • Network Extension is set as the DNS Monitoring Source
  • AlwaysAllowDNSRequestsForAll is false

New and improved in Linux 24.2 GA (24.2.2.20):

New Ransomware Engine

Agent 24.2 for Linux offers a new ransomware engine that does not depend on predefined configuration (thresholds). The new engine analyzes events to evaluate and dynamically score anomalous behaviors. The engine was tested with the 10 most popular ransomware in 2024.

And more..

  • Randomized UUID is now supported when the Agent is disabled.
  • Static AI now supports scanning of PHP files. PHP are now sent to the Agent for evaluation.
  • If a threat originated from an SSH connection, the threat origin process is enriched with the originating machine’s IP address and target user name on the threat node. The enrichment is available for uprobe-supported scenarios only.
  • The Agent can now report metadata for ECS tasks on EC2 instances, in threat reports and Deep Visibility events.
  • The Agent now reports the SHA-256 value for supported file types to Deep Visibility.
  • Path exclusions of levels “performance focus/extended” are now supported during Full Disk Scan. The feature can be enabled by setting the following configuration `{“full_disk_scan_path_exclusions”: true}` (default: false).
  • New Detection rules expaned (see full release notes for all added rules)

This entry was posted in N-central, N-sight. Bookmark the permalink.