Tom didn't touch on the Uninstall process. Is it possible to uninstall SentinelOne from another portal that we dont have access to? We have issues where we onboard customers with existing SentinelOne installation that requires uninstalling from the vendors portal that installed it.
18:37 What happens if the ransomware somehow manage to delete volume shadow copy, which is common thing done by any ransomware nowadays. Can I still rollback my machine state?
nice overview ..thank you… as this replaces a traditional av, would you still need to purchase a firewall or do you think it using windows firewall is good enough??
I use this for my clients as well. I'm curious if you do anything special for false positives now in light of the solarwinds supply chain attack. We are at the point where we can't afford to just assume something's a false positive because the file is signed by trusted source.
Thank you for the review, Tom. Do you have any thoughts or insights on rolling S1 out to multiple linux servers? I'm primarily concerned with trying to balance impact overhead to system resources with the protection provided. Just curious if you have any thoughts there or experience with the linux agent. Thanks again.
5:13 - it's kinda the same as Trend Micro got in their solution called Office Scan, I remember a customer that, by mistake, enabled it on PRD network to each endpoint connected (server and workstation) - It was a rough time fixing it ;)
Can you do a video on the why and how of sentinel one running powersploit in the background of every device the agent is installed? Where is the output file going?
@@LAWRENCESYSTEMS Thanx. Looking at going with Control, but looks like I lose the Explore (Storyline) tab. Complete seems to be about 2x more expensive for us (200 endpoints).
@@LAWRENCESYSTEMS thanks for the reply!, but I was wondering more about how it exactly does that. i.e. in windows does it change the network adapter profile from Private/Domain to Public and make other windows firewall changes? Can't seem to find any documentation on that detail. Was hoping you might have experience from this demo 😀
@@lennyaltamura2009 S1 actually works better with Splunk. They have a component that will actually enable the Splunk front end as used in environment today but will redirect the data to be stored in the S1 backend. This will not only cut the Splunk storage costs by more than half but also enable the customer to get dramatically improved performance on query results as it is stored/processed in a cloud native scalable environment. It's a win-win!
@@tomgore1959 I know. I use S1 for threat hunting. I also use Splunk for outlier and zero day IOC inspection. I'm curious what I said that spurred your reply. Thank you for pointing this out to the rest of the community. I find people making unsubstaciated claims of what S1 doesn't have. When I find these outrageous falsehoods, I always come to S1's defense. I also test EPP suites, SIEMs and the like.
Can you do a real test? Double clicking malware is in no way indicative of a real world threat. There are dozens of free AV that can stop commodity malware so this test tells me nothing. What TTPs are you using?
@@LAWRENCESYSTEMS A test that shows some real trade craft. Threat actors don't just double click malware that is sitting on someone's desktop. How was initial access gained to the system (phishing email, unpatched vulnerability, stolen credentials)? How do the malware get onto the machine? What was done to gain persistence after the access had been gained? MITRE does a good job at replicating real trade craft, which at the end of the day is what these solutions are supposed to be preventing. Just about any free AV can stop someone double clicking malware.
@@joeuser7384 I get what you are asking but that would be a COMPLETELY different video on how attacks occur and very out of scope for a video titled "SentinelOne Review and Malware Rollback Demo"
