App Review SentinelOne Endpoint Security (with SonicWall)

[Shadowra]

Content source

https://odysee.com/@Shadowra:f/SentinelOne-Endpoint-Security-(with-SonicWall):e

SentinelOne is an American IT security company for businesses.
They offer their AI-based NGAV (NextGen Antivirus) software to protect against malware.
It is also equipped with SonicWall, a company specializing in firewalls and IDS.
Settings are default.



SentinelOne is difficult to rate, so I'll just summarize.

The administration console is very light. You can perform a few actions, but it's impossible to modify specific rules... You really have to trust the editor's choices.

Web protection is good. SentinelOne catches downloaded files by blocking them directly from Edge. However, I was very surprised to see NO alerts from SentinelOne!
I had to check the SonicWall list...

On the pack, SentinelOne put up a good fight, but like all NGAVs, it has major weaknesses when it comes to script attacks. A njRAT managed to install itself, and SentinelOne asked for a reboot to perform its remediation, which I accepted. The trojan was gone.
Although SentinelOne defended itself well, it occasionally takes a while to detect a suspicious action. This can leave the computer in danger.
At the end of the test, the machine was compromised by a bloated Trojan that was active, as well as a CMD script entry at startup.

Not convinced, I expected better.

@ShenguiTurmi , @Correlate and @likeastar20 request

 

[likeastar20]

I'm currently trying it on my main machine and I like it, it's much lighter compared to Harmony but the protection is obviously worse. The portal-client connection is also fast, compared to the slow and clunky one I experienced with Harmony. Also, the behavior AI tends to produce some FPs (for example, whenever I scan with HitmanPro, but it's easy to unqurantine files).For those who have DeepInstict, the experience will be similar.Overall, the product feels overpriced for a home user.

 

[ShenguiTurmi]

It should be noted that SentinelOne does not OEM the technology from Sonicwall. It is the Sonicwall Capture Client that comes with a copy of SentinelOne to enhance Sonicwall ATP protection.
If you buy SentinelOne outright, you won't get anything from Sonicwall.
Btw amazing test! Thanks a lot!

 

[likeastar20]

@Shadowra I confirm that the script protection is not impressive. This tricky stealer was not caught by S1 where Avast caught it. Can you test this script?

VirusTotal

VirusTotal

www.virustotal.com

strela | 80c7906a7e228cb7612cb94ef9f25de02c8520a5c7ec983cc117fe5f75c11f1f | Triage

Check this strela report malware sample 80c7906a7e228cb7612cb94ef9f25de02c8520a5c7ec983cc117fe5f75c11f1f, with a score of 10 out of 10.

tria.ge

 

[ShenguiTurmi]

@Shadowra I confirm that the script protection is not impressive. This tricky stealer was not caught by S1 where Avast caught it.

VirusTotal

VirusTotal

www.virustotal.com

strela | 80c7906a7e228cb7612cb94ef9f25de02c8520a5c7ec983cc117fe5f75c11f1f | Triage

Check this strela report malware sample 80c7906a7e228cb7612cb94ef9f25de02c8520a5c7ec983cc117fe5f75c11f1f, with a score of 10 out of 10.

tria.ge

I sensed it too. Although I didn't publicise the results against Enterprise level, in Discussion Thread - Turtle‘s Enhanced Realworld Test EP4 (2023.06)
I actually tested S1 in this test, and they are oblivious to scripts generated by publicly available attack suites like PSEmpire.
Also, my previous testing of native CobaltStrike (without the extra loader) found that they didn't even intercept Powershell IEX...... This is a very dangerous command, commonly used in fileless attacks and rarely used in normal software.
They have a strong EDR (second only to Cybereason in MITRE 2022), but clearly have too much lacking in NGAV.

 

[Xciting]

the best is crowdstrike tho

 

[Xciting]

sentinel one is good

 

[Xciting]

Wonder if the test would be worse or better if you test elastic defend?

 

[Shadowra]

Wonder if the test would be worse or better if you test elastic defend?

I don’t have a licence for Elastic

 

[Xciting]

they do offer a trial for free no waiting for some team that doesnt exist to accept your request and u can extend it if u need to for free after it expires!

 

[cartaphilus]

I don’t have a licence for Elastic

Yeah during the COVID pandemic and after sitting on my arse for almost a year I was forced to get a license for elastic. I have currently been working out to get back to my pre pandemic size.

 

[Trident]

The feature set is not impressive either. Obviously it is lighter than many competitors, it offers almost nothing, apart from an average NGAV and EDR. I personally would stay away.

 

[Xciting]

I wish there was a free ngav :<

 

[likeastar20]

Im disappointed, why is S1's reputation so good? Everyone on reddit is talking about how good they are as a business AV, I dont see any such evidence. it seems to miss things frequently.

For example, no reaction from S1:

VirusTotal

VirusTotal

www.virustotal.com

redline | 594c356abf2b649f2df38a25ca6f3d43b43e842644ce90e3417ee0233a1d8a0c | Triage

Check this redline report malware sample 594c356abf2b649f2df38a25ca6f3d43b43e842644ce90e3417ee0233a1d8a0c, with a score of 10 out of 10.

tria.ge

 

[ShenguiTurmi]

The feature set is not impressive either. Obviously it is lighter than many competitors, it offers almost nothing, apart from an average NGAV and EDR. I personally would stay away.

The only feature of the S1 I'm impressed with is the STAR custom rules. Most other EDRs can only do simple auto-responses such as isolating devices. With STAR rules a lot of EDR based autoresponders can be implemented, including but not limited to killing processes after dumping memory. It is even possible to do direct interception of behaviour.
Of course, these are all EDR features, nothing shiny for S1 NGAV.
When you consider the price, the S1 is still very good value for money.
As a comparison S1 Complete is $65/device/year while CrowdStrike Enterprise is $195/device/year.
I still prefer DeepInstinct. i bought SentinelOne just for the EDR, and their NGAV has almost nothing to offer over DeepInstinct. As a machine learning solution, you can't even set the sensitivity. The ease of use of the console is also quite ordinary.

 

[likeastar20]

The only feature of the S1 I'm impressed with is the STAR custom rules. Most other EDRs can only do simple auto-responses such as isolating devices. With STAR rules a lot of EDR based autoresponders can be implemented, including but not limited to killing processes after dumping memory. It is even possible to do direct interception of behaviour.
Of course, these are all EDR features, nothing shiny for S1 NGAV.
When you consider the price, the S1 is still very good value for money.
As a comparison S1 Complete is $65/device/year while CrowdStrike Enterprise is $195/device/year.
I still prefer DeepInstinct. i bought SentinelOne just for the EDR, and their NGAV has almost nothing to offer over DeepInstinct. As a machine learning solution, you can't even set the sensitivity. The ease of use of the console is also quite ordinary.

Good points, you are right

 

[Trident]

Of course, these are all EDR features, nothing shiny for S1 NGAV.
When you consider the price, the S1 is still very good value for money.

There is nothing shiny to any of the NGAVs, they normally scan and support only executables. CrowdStrike layers the NGAV with the Falcon emulation and that can stop attacks where non-executables are used. In addition, system hardening can be used to provide script resistance. Others layer NGAV with standard antivirus engines and documents security (Cybereason, Check Point). SentinelOne is too much EDR-focused. If you run a business, you will spend less on EDR/XDR but due to lack of automation, you will spend more on SOCs.

 

[likeastar20]

@Shadowra another sample. can you confirm the sample is working and not detected by S1?

VirusTotal

VirusTotal

www.virustotal.com

raccoon | d2a63c6d9cdda0bc062b61cf77d84259c451edfed1a01401e519bc75cfff7e8e | Triage

Check this raccoon report malware sample d2a63c6d9cdda0bc062b61cf77d84259c451edfed1a01401e519bc75cfff7e8e, with a score of 10 out of 10.

tria.ge

 

[Shadowra]

@Shadowra another sample. can you confirm the sample is working and not detected by S1?

VirusTotal

VirusTotal

www.virustotal.com

raccoon | d2a63c6d9cdda0bc062b61cf77d84259c451edfed1a01401e519bc75cfff7e8e | Triage

Check this raccoon report malware sample d2a63c6d9cdda0bc062b61cf77d84259c451edfed1a01401e519bc75cfff7e8e, with a score of 10 out of 10.

tria.ge

Not detected

 

[likeastar20]

These samples seem to work differently compared to the usual Redline Stealers and Raccoon Stealers, can you take a look? @struppigel