App Review SentinelOne Endpoint Security (with SonicWall)

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Shadowra

Shadowra

Level 37
Thread author
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,619
SentinelOne is an American IT security company for businesses.
They offer their AI-based NGAV (NextGen Antivirus) software to protect against malware.
It is also equipped with SonicWall, a company specializing in firewalls and IDS.
Settings are default.



SentinelOne is difficult to rate, so I'll just summarize.

The administration console is very light. You can perform a few actions, but it's impossible to modify specific rules... You really have to trust the editor's choices.

Web protection is good. SentinelOne catches downloaded files by blocking them directly from Edge. However, I was very surprised to see NO alerts from SentinelOne!
I had to check the SonicWall list...

On the pack, SentinelOne put up a good fight, but like all NGAVs, it has major weaknesses when it comes to script attacks. A njRAT managed to install itself, and SentinelOne asked for a reboot to perform its remediation, which I accepted. The trojan was gone.
Although SentinelOne defended itself well, it occasionally takes a while to detect a suspicious action. This can leave the computer in danger.
At the end of the test, the machine was compromised by a bloated Trojan that was active, as well as a CMD script entry at startup.

Not convinced, I expected better.

@ShenguiTurmi , @Correlate and @likeastar20 request
 

likeastar20

Level 9
Verified
Mar 24, 2016
423
I'm currently trying it on my main machine and I like it, it's much lighter compared to Harmony but the protection is obviously worse. The portal-client connection is also fast, compared to the slow and clunky one I experienced with Harmony. Also, the behavior AI tends to produce some FPs (for example, whenever I scan with HitmanPro, but it's easy to unqurantine files).For those who have DeepInstict, the experience will be similar.Overall, the product feels overpriced for a home user.

yes.PNG
 
Last edited:

ShenguiTurmi

Level 3
Well-known
Feb 28, 2023
126
It should be noted that SentinelOne does not OEM the technology from Sonicwall. It is the Sonicwall Capture Client that comes with a copy of SentinelOne to enhance Sonicwall ATP protection.
If you buy SentinelOne outright, you won't get anything from Sonicwall.
Btw amazing test! Thanks a lot!
 

likeastar20

Level 9
Verified
Mar 24, 2016
423
Last edited:

ShenguiTurmi

Level 3
Well-known
Feb 28, 2023
126
@Shadowra I confirm that the script protection is not impressive. This tricky stealer was not caught by S1 where Avast caught it.

I sensed it too. Although I didn't publicise the results against Enterprise level, in Discussion Thread - Turtle‘s Enhanced Realworld Test EP4 (2023.06)
I actually tested S1 in this test, and they are oblivious to scripts generated by publicly available attack suites like PSEmpire.
Also, my previous testing of native CobaltStrike (without the extra loader) found that they didn't even intercept Powershell IEX...... This is a very dangerous command, commonly used in fileless attacks and rarely used in normal software.
They have a strong EDR (second only to Cybereason in MITRE 2022), but clearly have too much lacking in NGAV.
 

likeastar20

Level 9
Verified
Mar 24, 2016
423
Im disappointed, why is S1's reputation so good? Everyone on reddit is talking about how good they are as a business AV, I dont see any such evidence. it seems to miss things frequently.

For example, no reaction from S1:

 
Last edited:

ShenguiTurmi

Level 3
Well-known
Feb 28, 2023
126
The feature set is not impressive either. Obviously it is lighter than many competitors, it offers almost nothing, apart from an average NGAV and EDR. I personally would stay away.
The only feature of the S1 I'm impressed with is the STAR custom rules. Most other EDRs can only do simple auto-responses such as isolating devices. With STAR rules a lot of EDR based autoresponders can be implemented, including but not limited to killing processes after dumping memory. It is even possible to do direct interception of behaviour.
Of course, these are all EDR features, nothing shiny for S1 NGAV.
When you consider the price, the S1 is still very good value for money.
As a comparison S1 Complete is $65/device/year while CrowdStrike Enterprise is $195/device/year.
I still prefer DeepInstinct. i bought SentinelOne just for the EDR, and their NGAV has almost nothing to offer over DeepInstinct. As a machine learning solution, you can't even set the sensitivity. The ease of use of the console is also quite ordinary.
 

likeastar20

Level 9
Verified
Mar 24, 2016
423
The only feature of the S1 I'm impressed with is the STAR custom rules. Most other EDRs can only do simple auto-responses such as isolating devices. With STAR rules a lot of EDR based autoresponders can be implemented, including but not limited to killing processes after dumping memory. It is even possible to do direct interception of behaviour.
Of course, these are all EDR features, nothing shiny for S1 NGAV.
When you consider the price, the S1 is still very good value for money.
As a comparison S1 Complete is $65/device/year while CrowdStrike Enterprise is $195/device/year.
I still prefer DeepInstinct. i bought SentinelOne just for the EDR, and their NGAV has almost nothing to offer over DeepInstinct. As a machine learning solution, you can't even set the sensitivity. The ease of use of the console is also quite ordinary.
Good points, you are right
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Of course, these are all EDR features, nothing shiny for S1 NGAV.
When you consider the price, the S1 is still very good value for money.
There is nothing shiny to any of the NGAVs, they normally scan and support only executables. CrowdStrike layers the NGAV with the Falcon emulation and that can stop attacks where non-executables are used. In addition, system hardening can be used to provide script resistance. Others layer NGAV with standard antivirus engines and documents security (Cybereason, Check Point). SentinelOne is too much EDR-focused. If you run a business, you will spend less on EDR/XDR but due to lack of automation, you will spend more on SOCs.
 

Shadowra

Level 37
Thread author
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,619

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top