Capture Client Threat Protection Policy Engines

02/26/2021 2 407

DESCRIPTION:

The Engine settings shows the various detection engines that scan and inspect activity.

CAUSE:

Engine settings can be found under Security Policies-> Threat Protection-> Open Respective Policy-> Engine Settings

RESOLUTION:

Pre-Execution Engine

The SentinelOne agent leverages static AI and reputation engines to monitor files as they are written to disk.

• Reputation: This engine refers to the SentinelOne Cloud to make sure that no known malicious files are written to the disk or executed. This cannot be disabled.
• Deep File Inspection: This is a preventive Static AI engine that scans for malicious files when written to the disk and on execute.
• Deep File Inspection - Suspicious: A Static AI engine that scans for suspicious files when written to the disk and on execute, it is recommended to leave this engine enabled. The indicators in Forensics will help quickly analyze whether the file is a threat or benign. If safe, you can mark the detection as a "Mark as benign"
• Potentially unwanted applications: A Static AI engine on macOS devices that inspects applications that are not malicious, but are considered unsuitable for business networks.

Capture ATP Engine

Capture ATP Auto-Mitigation when enabled along with the DFI-Suspicious Engine allows detection of a potential threat, reports it and sends it to Capture ATP for further analysis. Based on policy settings, the verdict from Capture ATP can trigger automatic mitigation actions like "Kill & Quarantine" or "Mark as Threat"

On-Execution Engine

Monitor behavior and detect malicious activity when a process initiates.

The SentinelOne agent leverages behavioral AI engines to monitor behavior on the endpoint. When the SentinelOne agent is installed, the endpoints must be rebooted to enable the behavioral engines.

• Dynamic Behavior Tracking: A Behavioral AI engine that implements advanced machine learning tools. This engine detects malicious activities in real-time, when processes execute.
• Documents, Scripts: A Behavioral AI engine, focused on all types of documents and scripts.
• Lateral Movement: A Behavioral AI engine that detects attacks initiated by remote devices.
• Anti Exploitation / Fileless: A Behavioral AI engine, focused on exploits and all fileless attack attempts, such as web-related and command line exploits.
• Intrusion Detection: A Behavioral AI engine on Windows devices focused on insider threats such as malicious activity through PowerShell or CMD.