New Features, Enhancements and Resolved Issues in SentinelOne Agents

S1 Version

New Features and Enhancements

Resolved Issues

4.1.5.97 - Windows

None

After upgrading to version 4.1.2, in the Windows Network Connections properties window, you will no longer see file paths that begin with @%systemroot% replacing a list of your NIC features.

If the Microsoft-Windows-CAPI2 ETW provider is enabled on Windows 7, digitally signed Excel macros crash. In this version you can disable this provider from running on Windows 7.

Agent crashes on endpoints running 32-bit Windows OS

4.1.3.3265 - MacOS

Behavioral AI engine improvements.

None

4.1.4.2 - Linux

Significant improvements for resource consumption

Default TasksMax value in systemd distro caused high CPU and fork rejects. TasksMax is now custom and set to infinity

Increased the efficiency of the pruning logic of model-db to keep disk usage to a minimum

Improved Agent stability on systems with kernels that do not support mount namespace

In specific scenarios, systemctl was detected with the T1078 indicator

4.1.4.82 - Windows

Enhanced detection of the Koadic penetration framework.

A crash loop caused by completing previous quarantines after reboot.

Agent fails to quarantine a file after reboot.

Network consumption issue caused by heavy message communication between the Agent and the Management Console.

A blocked Bluetooth device remains paired when running Windows 10 version 1903.

Canon USB scanner hung and was not functional when Device Control is enabled.

If the Agent mitigates a large number of files (more than 10K), the Agent might not send a mitigation report to the Management. Although the mitigation takes effect, you may not see the mitigation's correct status in the Forensics page.

The SentinelOne Static Engine will no longer scan files automatically if they are excluded for interoperability with other programs.

Issue that caused the Agent to stop functioning after an OS upgrade.

Legitimate service services.exe is identified as malicious.

4.1.2.3143 - MacOS

Extended support for path exclusions modes - The MacOS agent now supports all of the path exclusion mode.

Device Control now supports controlling Bluetooth Low Energy (BLE) devices. 

The Agent stops quarantining a file with the same hash when copied to the same directory multiple times.

False positive alerts on development tools such as Yarn, nodenv, Node, Expo, iTerm2, and Electron.

Possible False Positive detection on Bash script, when installing or upgrading Homebrew Package Manager.

The status of a mitigated threat is not always reflected correctly on the Management Console.

Some exclusions were not applied correctly, generating high sentineld_helper CPU utilization.

The Agent did not validate the minimum free disk space on installation.

4.1.3.3 - Linux

Threats detected by full disk scan can now be mitigated and then the malicious file can be fetched retroactively.

The agent verifies binaries are signed and belong to an installed package.

During times of high network load with traffic routed through a proxy, the s1-network daemon failed or consumed high CPU.

Kernel panic on a Linux 2.6 kernel. The issue resulted in multiple restarts to the Linux server.

The Fetch Logs (sentinelctl generate log) command took a long time to complete when slabtop output was more than one GB.

With version 4.0.2 on RHEL6.x or CentOS 6.x, the Agent did not respond to upgrade, uninstall, fetch logs, and other endpoint  actions.

4.0.4.81 – Windows

Network consumption improvements

BlueKeep detection is now enabled by default. On a BlueKeep detection, the Agent extracts the IP address of the source machine which initiated the RDP connection

Detection of DCSync: DCSync is a Mimikatz feature that lets the attacker impersonate a Domain Controller and request account password data from targeted domain controller. DCsync attack is often used by pen-testers and red teams. 

Enhanced detection of penetration testing frameworks (Metasploit, Cobalt Strike, etc.)

Enhanced detection of .NET executables due to a major improvement in the machine learning model.

If the Agent is installed using the MSI Installer, the Agent stops communicating and reporting to the Management Console after the endpoint is upgraded to Windows version 1909.

When you install the SentinelOne Windows Agent with MSI, or upgrade the OS, if the Agent fails to set the maximum VSS percent disk utilization, the Agent installation might fail.

Network consumption issue caused by heavy message communication between the Agent and the Management Console

The SentinelOne Static Engine will no longer scan files automatically if they are excluded for interoperability with other programs

The DLLhost.exe process consumes a lot of memory. From version 4.0.4 it is no longer created by default.

The Agent can now communicate properly with the Management Console when Symantec Encryption Desktop is installed on the endpoint.

If an endpoint is installed with the Windows Agent, when upgrading the operating system to Windows 10 version 1607 or later, Windows UWP Applications will stop working (will not load)

Interoperability issues with Quest Software.

Interoperability issue with ERP application Sivas.

Agent crashes and causes a black screen on the endpoint

4.0.3.3085 - MacOS

Improved management of agent atabase size, with better handling for low disk space conditions

Improved agent CPU utilization when handling excluded processes

Possible False Positive detection on Bash script, when installing or upgrading Homebrew Package Manager.

Some exclusions were not applied correctly, generating high CPU utilization.

The Agent no longer reports Device Control Connect/Disconnect events of internal USB Apple components.

The Agent does not send threat indicators with the dynamic threat report. The Agent reports threat indicators after the threat evolves. The Management Console does not show the threat indicators.

The Agent did not report installed application in sub-directories of /Applications

Interoperability issue with Digital Guardian

Interoperability issue with ForcePoint

4.0.3.11 - Linux

Support for extended path exclusions for Linux. The Performance focus and Performance Focus - Extended options are now applied on the Linux Agent for exclusions. See the note when you select one of these options. It shows that they are not available for Windows Legacy or MacOS. The Linux Agent will not monitor or send data of file events in a path that is excluded with an Extended option.
(This is different from Windows, which stops monitoring all process and file events for excluded paths.)

The Suppress All mode for Path Exclusion is only for false positives (do not report threats on the Console). To resolve performance issues of third-party applications and processes, use the new Performance Focus or Performance Focus - extended mode for Path Exclusions.

Support for Oracle Linux with Unbreakable Network: ksplice interoperability.

During times of high network load with traffic routed through a proxy, the s1-network daemon failed or consumed high CPU.

Kernel panic on a Linux 2.6 kernel. The issue resulted in multiple restarts to the Linux server.

The Fetch Logs (sentinelctl generate log) command took a long time to complete when slabtop output was more than one GB.

Sometimes threat information did not include Container data.

In some deployments, the Agent could not communicate with the Management and its processes hung.

Interoperability with Ksplice, after K-Splice patches kernel on boot.

The Agent DFI engine scans ZIP files, if the file has the extension ZIP. (File types excluded from DFI: Office files, PDFs, and ZIP files without the ZIP extension).

If the Agent is upgraded from 2.6, proxy settings are cleared.

The Lockdown kernel feature, already in Ubuntu 18.0.4+ and enabled by default with Secure Boot, is not supported.

Some files in /opt/sentinelone are owned by root and not by the sentinelone user and group.

On RHEL and CentOS 6.4, the Agent does not detect On-Write, only On-Execute. We recommend that you update the OS.