Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

New Features, Enhancements and Resolved Issues in SentinelOne Agents

02/24/2021 1 People found this article helpful 90,353 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    This article outlines the new features, enhancements and resolved issues in the SentinelOne Agents that are supported with Capture Client. For more details on which SentinelOne agent is supported with which version of Capture Client, please refer to the KB article on SentinelOne agent version availability with Capture Client

    Resolution


    S1 Version

    New Features and Enhancements

    Resolved Issues

    4.1.6.118 - Windows

    None

    High CPU and Memory issues caused by a bug in the Agent's internal data structures.

    Agent installation fails when the Component Object Model settings are not the default regarding impersonation and authentication levels.

    Some backup programs (including Veeam and Azure) fail to back up servers installed with the SentinelOne Agent.

    4.1.5.97 - Windows

    None

    After upgrading to version 4.1.2, in the Windows Network Connections properties window, you will no longer see file paths that begin with @%systemroot% replacing a list of your NIC features.

    If the Microsoft-Windows-CAPI2 ETW provider is enabled on Windows 7, digitally signed Excel macros crash. In this version you can disable this provider from running on Windows 7.

    Agent crashes on endpoints running 32-bit Windows OS

    4.1.3.3265 - MacOS

    Behavioral AI engine improvements.

    None

    4.1.4.2 - Linux

    Significant improvements for resource consumption

    Default TasksMax value in systemd distro caused high CPU and fork rejects. TasksMax is now custom and set to infinity

    Increased the efficiency of the pruning logic of model-db to keep disk usage to a minimum

    Improved Agent stability on systems with kernels that do not support mount namespace

    In specific scenarios, systemctl was detected with the T1078 indicator

    4.1.4.82 - Windows

    Enhanced detection of the Koadic penetration framework.

    A crash loop caused by completing previous quarantines after reboot.

    Agent fails to quarantine a file after reboot.

    Network consumption issue caused by heavy message communication between the Agent and the Management Console.

    A blocked Bluetooth device remains paired when running Windows 10 version 1903.

    Canon USB scanner hung and was not functional when Device Control is enabled.

    If the Agent mitigates a large number of files (more than 10K), the Agent might not send a mitigation report to the Management. Although the mitigation takes effect, you may not see the mitigation's correct status in the Forensics page.

    The SentinelOne Static Engine will no longer scan files automatically if they are excluded for interoperability with other programs.

    Issue that caused the Agent to stop functioning after an OS upgrade.

    Legitimate service services.exe is identified as malicious.

    4.1.2.3143 - MacOS

    Extended support for path exclusions modes - The MacOS agent now supports all of the path exclusion mode.

    Device Control now supports controlling Bluetooth Low Energy (BLE) devices. 


    The Agent stops quarantining a file with the same hash when copied to the same directory multiple times.

    False positive alerts on development tools such as Yarn, nodenv, Node, Expo, iTerm2, and Electron.

    Possible False Positive detection on Bash script, when installing or upgrading Homebrew Package Manager.

    The status of a mitigated threat is not always reflected correctly on the Management Console.

    Some exclusions were not applied correctly, generating high sentineld_helper CPU utilization.

    The Agent did not validate the minimum free disk space on installation.

    4.1.3.3 - Linux

    Threats detected by full disk scan can now be mitigated and then the malicious file can be fetched retroactively.

    The agent verifies binaries are signed and belong to an installed package.

    During times of high network load with traffic routed through a proxy, the s1-network daemon failed or consumed high CPU.

    Kernel panic on a Linux 2.6 kernel. The issue resulted in multiple restarts to the Linux server.

    The Fetch Logs (sentinelctl generate log) command took a long time to complete when slabtop output was more than one GB.

    With version 4.0.2 on RHEL6.x or CentOS 6.x, the Agent did not respond to upgrade, uninstall, fetch logs, and other endpoint  actions.

    4.0.4.81 – Windows

    Network consumption improvements

    BlueKeep detection is now enabled by default. On a BlueKeep detection, the Agent extracts the IP address of the source machine which initiated the RDP connection

    Detection of DCSync: DCSync is a Mimikatz feature that lets the attacker impersonate a Domain Controller and request account password data from targeted domain controller. DCsync attack is often used by pen-testers and red teams. 

    Enhanced detection of penetration testing frameworks (Metasploit, Cobalt Strike, etc.)

    Enhanced detection of .NET executables due to a major improvement in the machine learning model.

    If the Agent is installed using the MSI Installer, the Agent stops communicating and reporting to the Management Console after the endpoint is upgraded to Windows version 1909.

    When you install the SentinelOne Windows Agent with MSI, or upgrade the OS, if the Agent fails to set the maximum VSS percent disk utilization, the Agent installation might fail.

    Network consumption issue caused by heavy message communication between the Agent and the Management Console

    The SentinelOne Static Engine will no longer scan files automatically if they are excluded for interoperability with other programs

    The DLLhost.exe process consumes a lot of memory. From version 4.0.4 it is no longer created by default.

    The Agent can now communicate properly with the Management Console when Symantec Encryption Desktop is installed on the endpoint.

    If an endpoint is installed with the Windows Agent, when upgrading the operating system to Windows 10 version 1607 or later, Windows UWP Applications will stop working (will not load)

    Interoperability issues with Quest Software.

    Interoperability issue with ERP application Sivas.

    Agent crashes and causes a black screen on the endpoint

    4.0.3.3085 - MacOS

    Improved management of agent atabase size, with better handling for low disk space conditions

    Improved agent CPU utilization when handling excluded processes

    Possible False Positive detection on Bash script, when installing or upgrading Homebrew Package Manager.

    Some exclusions were not applied correctly, generating high CPU utilization.

    The Agent no longer reports Device Control Connect/Disconnect events of internal USB Apple components.

    The Agent does not send threat indicators with the dynamic threat report. The Agent reports threat indicators after the threat evolves. The Management Console does not show the threat indicators.

    The Agent did not report installed application in sub-directories of /Applications

    Interoperability issue with Digital Guardian

    Interoperability issue with ForcePoint

    4.0.3.11 - Linux

    Support for extended path exclusions for Linux. The Performance focus and Performance Focus - Extended options are now applied on the Linux Agent for exclusions. See the note when you select one of these options. It shows that they are not available for Windows Legacy or MacOS. The Linux Agent will not monitor or send data of file events in a path that is excluded with an Extended option.
    (This is different from Windows, which stops monitoring all process and file events for excluded paths.)

    The Suppress All mode for Path Exclusion is only for false positives (do not report threats on the Console). To resolve performance issues of third-party applications and processes, use the new Performance Focus or Performance Focus - extended mode for Path Exclusions.

    Support for Oracle Linux with Unbreakable Network: ksplice interoperability.

    During times of high network load with traffic routed through a proxy, the s1-network daemon failed or consumed high CPU.

    Kernel panic on a Linux 2.6 kernel. The issue resulted in multiple restarts to the Linux server.

    The Fetch Logs (sentinelctl generate log) command took a long time to complete when slabtop output was more than one GB.

    Sometimes threat information did not include Container data.

    In some deployments, the Agent could not communicate with the Management and its processes hung.

    Interoperability with Ksplice, after K-Splice patches kernel on boot.

    The Agent DFI engine scans ZIP files, if the file has the extension ZIP. (File types excluded from DFI: Office files, PDFs, and ZIP files without the ZIP extension).

    If the Agent is upgraded from 2.6, proxy settings are cleared.

    The Lockdown kernel feature, already in Ubuntu 18.0.4+ and enabled by default with Secure Boot, is not supported.

    Some files in /opt/sentinelone are owned by root and not by the sentinelone user and group.

    On RHEL and CentOS 6.4, the Agent does not detect On-Write, only On-Execute. We recommend that you update the OS.


    Related Articles

    • How to configure Web Content Filtering on Capture Client 3.6
    • How to export logs from the Capture client console and the endpoint
    • How to Download and Install Capture Client

    Categories

    • Endpoint Security > Capture Client > Network

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:4ee82ce2006b54d95245027ae7978e4a-89