We are pleased to announce that on Wednesday, December 2, 2020, the SolarWinds Endpoint Detection and Response (EDR) product will be updated to the SentinelOne “Liberty SP5” release. This release delivers significant enhancements to the management console, as well as updated version of the Windows, macOs and Linux agent. 

The Management Console release and the new agents contain many usability enhancements and bug fixes, and we strongly recommend upgrading all agents in your environment as soon as possible to provide the maximum level of protection available.

Liberty SP5 includes:

Exclusion Catalog

Adding exclusions just got easier, with the new Exclusions Catalog. Easily add exclusions to prevent known interoperability issues between the SentinelOne Agent and applications in your environment.

Easily see in the catalog which applications are found on endpoints in your scope and which exclusions are already in your scope. A few important things to note:

• The list is based on cached list of all the App Inventory and not “real time” search
• Application data is updated in the catalog once a day and cannot be initiated by user request
• Exclusions will take place for the current scope
• At this time, only Path Exclusions are available
• A new Source column is available on the Exclusions table to highlight where an exclusion originated from including the Exclusion Catalog

Upgrade Policy Bandwidth Protection

Manage your bandwidth while you upgrade when you set the maximum concurrent downloads per scope. This will limit the number of endpoints allowed to download the Agent upgrade packages at the same time, making it easier to protect the bandwidth for your physical sites. The new Upgrades tab setting for Maximum Concurrent Downloads will allow you to set Multi-Hierarchy concurrency limits for complex networks. The management console will then manage the queue of upgrade commands and send them to the agent when a resource is available (according to the limit per scope.)

Disable Agent

No longer do you need to uninstall the agent when troubleshooting interoperability issues. Now available from the Management Console within the Endpoints – Actions is the ability to disable and enable an agent. A few important things to note:

• Currently available for Windows and Linux at this time
• Communication is maintained between the Agent and the Management console even if the agent is disabled
• Agent will not be protected BUT you can still perform diagnostic actions and management side actions
• Default is set to 1 hour (and you cannot set it indefinitely ensuring we don’t risk leaving an endpoint unprotected forever)

First Step is to select the time you would like this disabled for

Second step is to determine if you want to fully disable the agent which requires a reboot

Wondering why you would need a reboot? When the agent is running anytime new processes are running the SentinelOne injects their .dll files. The reboot will kick off the process again but this time without SentinelOne agent being injected into them. That said, you can disable the agent without rebooting as a first try.

To keep visibility on your agent’s operational status some changes have been made to the Endpoints, such as the red exclamation mark beside any device with a disabled agent.

The new column on the Endpoints table displaying each device’s Agent Operational State.

And the new Operational State filter.

Drilling into a specific end point, will also alert you to the Agent status and offer actions to enable and reboot.

More Endpoint enhancements….

• New filter for easily viewing Decommissioned Agents
• New Core Count Column added to the Endpoint Table

Explore Tab Enhancements

Now available from the Explore tab is the ability to export the Process Tree as a .png file, easily allowing you to share key information with your colleagues when managing an incident. Also, you will find that the Events table is no longer limited to 1000 events.

Security Enhancements: 2FA Lock Out

Three strikes and you’re out benched! If a user with Two-Factor Authentication configured enters the wrong 2FA code three times, the user is locked out of the Console for 30 minutes.

On-Demand Scan

Available for Windows and Linux at this time is the ability to allow an end user to trigger the scanning of files, folders and USB devices for threats on the endpoint directly. This feature is disabled by default but can be enabled through the sentinelctl command. To enable this feature on an endpoint the following command must be run: sentinelctl config fullDiskScanConfig.scanContextMenuItem true -k “passphrase”

Once this has been engaged the end user simply right clicks selects ‘Scan for Threats’. Couple things to note:

• Only one scan can be run at a time
• Suspicious are removed from the visual report
• On-demand scan will not report on files excluded from detection. If file hash of a scanned file was excluded from detection by the policy, the excluded file is not shown in the pop-up window or in the CSV of malicious files even if file is malicious.

A progress bar will display during the scan, to track the progress. This will also allow the user to Cancel the scan

The end user console will also present the end results and include detailed logs, and if a malicious file has been found and there is a corresponding CSV the user can click to draw up even more information.

Latest Agent Updates

SentinelOne agent versions included in this update are:

Windows agent 4.4 GA (4.4.3.149) macOS agent 4.3 GA (4.3.3.3512)  Linux agent 4.4 GA (4.4.2.3)

Windows agent 4.4 includes:

• Detection Improvements: Option to prevent Local Security Authority Subsystem Service (LSASS) process memory dump.
• We added Device Control log information to the endpoint’s Windows Event Viewer. When a USB, Bluetooth, or other device is connected, blocked, or disconnected and matches a Device Control rule, an event is logged in Windows Event Viewer
• Important security enhancements to the Agent communication protocols. Only Windows 4.4.2 Agents and later, running Management version Liberty and later, will apply the new protocols and gain this extra protection. We advise customers to upgrade.

Linux agent 4.4 includes:

• Operational troubleshooting with Linux is complex, with all the supporting permutations of distributions, supported kernel ranges and installations. Linux 4.4 Introduces the new Remote Profiler, responsible for gathering Agent operational data for advanced diagnostics and optimal resolution.
• Agent logs are optimized for endpoint disk space. For each Agent logger, there can be up to 10 log files. The new max log size is for all the 10 logs, combined, of each logger.
• The fetched logs include more information: the name of their Linux endpoint, cgroup (Agent, perf), process statistics, and process status.
• The sentinelctl log generate command is changed to work offline, independent of Agent service status.
• A new sentinelctl command is created to control the monitoring or see the disk usage of Agent processes:  sentinelctl disk monitor {get | set {on | off}}
• Support for Fedora 32 and Oracle Linux 8, 8.1

Mac agent 4.3 includes:

• New Behavioral detection capabilities added
• Resolved several False Positive detections
• A new configuration to stop sending the endpoint’s Model name attribute from an Agent to the Management Console. Use Policy Override to set the attribute sendModelName to false.

Gentle Reminder that macOs Big Sur support will be coming out in agent 4.6

The console update and agent release are scheduled for completion within an eight-hour maintenance window and will begin on Wednesday, December 2 at 10 am IDT / 7 am UTC / 3 am EDT.  A few important things to note during this time:

• All endpoints will continue to be protected.
• EDR management console login and API access may be unavailable.

We are excited to provide these new features to customers, as well as evangelize them with prospects. For the full release details click here.

https://documentation.solarwindsmsp.com/EDR/Liberty/en/release-notes.html

As always, feedback is welcome on the release.