Review: SentinelOne blocks and dissects threats

SentinelOne EPP brings good malware detection, excellent forensics, and flexible remediation to business networks

Review: SentinelOne blocks and dissects threats
At a Glance
  • SentinelOne Endpoint Protection 1.7.0

SentinelOne Endpoint Protection Platform (EPP) is an antimalware solution that protects against targeted attacks, malware, and zero-day threats through behavioral analysis and process whitelisting and blacklisting. The client agent, which analyzes the behavior of processes on Windows, OS X, Linux, and Android endpoints, can replace or run alongside other signature-based antimalware solutions. SentinelOne EPP stands out not only for its protection capabilities but also for its excellent forensics and threat analysis.

SentinelOne evaluates process behavior based on "dynamic execution patterns." The agent scans endpoints, indexes application files and processes, and sends information about them to the cloud where they are assigned reputation scores. When scores surpass policy thresholds, processes can be killed, files quarantined, and endpoints rolled back to the last known-good state. Metadata about processes and files are pooled among SentinelOne's customers, building an anonymous threat intelligence network that benefits everyone.

I was impressed by the depth of SentinelOne's forensic analysis capabilities. The solution records all information related to applications and processes, then displays it in a straightforward, easy-to-understand historical view within the browser-based management interface.

Getting started

SentinelOne's management console can run in the cloud or on premises. I tested the cloud-based version. The management console has an elegant, responsive GUI, with a friendly look and feel across devices. I found that it was most user-friendly from my PC with a nice big monitor, yet it was still pleasant to access from my iPad and usable from my Android smartphone.

Installing agents on my Windows test machines took seconds and required no user intervention. After a reboot, the agent did a full scan of each machine, which took anywhere from 30 seconds to two minutes. The agent has negligible resource requirements, taking up a mere 25MB of disk space and 32MB of RAM and at most 1 percent of CPU when running. The agent interface provides basic information to the user, such as how many applications, processes, and services are running. I was unable to terminate the process or remove the agent from the endpoint itself.

To continue reading this article register now

How to choose a low-code development platform