1-year anniversary to SentinelOne 1.8.4 release

We’ve just celebrated a year since launching 1.8.4 release. Here’s a post sharing some interesting facts about the version. 1.8.4 will reach End of Support on June 15th. Before, please update to 2.0, 2.1, or 2.5.

Features

It was the first release including our Static AI engine (DFI), exclusions, Windows Security Center integration (so Windows does not claim there is no malware protection if SentinelOne installed), auto mitigation for PUP on macOS and many more features.

Our Static AI module: DFI – Deep File Inspection

Adding Static AI to our list of engines had a magnificent impact on the amount of malware we prevented before they have the change to run, as most of the mitigation before this release happening on or post-execution. Starting 1.8.4, every file that is copied to disk is immediately scanned against SentinelOne static AI module, if classified either as a threat (and mitigated immediately), as a suspicious file (mitigation depends on the policy) or a benign, allowing other engines to examining it before it can make its impact.

One of the major benefits of static-based detection is that it can be performed before the file is executed (or pre-execution). This is obviously useful because it’s much easier to remediate malware if it’s never allowed to execute. An ounce of prevention is worth a pound of cure. A corollary of this benefit is that even corrupt and malformed executables which won’t execute can still be detected statically. Of course, any sort of detection which is mostly based on behavioral analysis will fail to detect these same samples because they don’t generate any behavior. It’s questionable if these types of files should even be considered malicious. Even still, there may be some value in detecting and removing malware which can’t actually harm you simply because it brings peace of mind and suits existing policies and procedures.

Releasing the DFI module also helped us in two aspects:

  1. SentinelOne have decided to contribute to the community by offering it to VirusTotal. It’s important to highlight that we’ve shared SentinelOne Static AI engine with VirusTotal, and not other modules available on SentinelOne agents. To test a malware against SentinelOne technology, we recommend using a deployed agent and not rely on VirusTotal score for SentinelOne DFI.
  2. Although SentinelOne technology is not depended on scanning for detection, some of our customers asked for the ability to scan their endpoint, to cover the case of dormant malware and due to compliance reasons. Adding Static AI enabled us to offer Full Disk Scan to our customers,

Policy

The policy was reasonably simple, but we needed to change the concept of cloud validation to the internal logic that uses the cloud when needed. Our default policy used to require cloud connectivity for mitigation.

Remember this?

Detection

From detection side, we added our Anti exploit capabilities, with ROP detection, Stack Pivot, and Shellcode detection.

1.8.4 prevented many different malware attempts. Find their classification:

Recognised by 3rd parties

NSS labs

1.8.4 earns NSS Labs’ coveted ‘Recommended’ rating scoring a 99.79% in effectiveness, achieving the highest ROI out of 15 competing endpoint protection solutions and Leading TCO rating.

AV-Comparatives

1.8.4 has been named an Approved Business Product in an independent test from AV-Comparatives.

Conclusions

1.8.4 was a game changer for SentinelOne, as it marked the prevention, detection and response era. It was the first time SentinelOne technology was deployed to large enterprises, covering 100K and above organization that were geographically dispersed. We do recommend all our customers to upgrades with an ease of a click to 2.x versions.

The post 1-year anniversary to SentinelOne 1.8.4 release appeared first on SentinelOne.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *