SentinelOne EPP (Endpoint Protection Platform) is an anti-malware approach to endpoint security on Windows, OS X and Android devices. It is an on-premises approach with cloud support. The management console, then, may be on-prem or in the cloud depending on the organization's preference. The strong feature of this tool is the way it analyzes malicious code.
Typical modern malware is enmeshed in packers, cryptors or other wrappers. Polymorphism is used to alter code slightly to obfuscate it from typical signature- and heuristics-based anti-malware products. EPP takes a unique approach to analysis and blocking. Malicious code is allowed to run in a protected environment and its behavior analyzed. As a preliminary preventative measure, the code and its download source are subjected to reputation-based blocking. If that fails, dynamic exploit detection takes over to intercept application- and memory-based exploits. If context-aware dynamic analysis reveals malicious code, it is contained automatically. If the machine itself has been compromised, it is contained as well. The system then is rolled back to undo, and malicious changes and real-time forensic analysis takes over.
EPP was demonstrated on a morphed piece of malicious code. First, a copy of Zbot, a well-known banking trojan, was analyzed by both EPP and two other AV products. Both products caught the malware and took appropriate action. Next, the Zbot sample was morphed by making a trivial two-character change using a hex editor. The change did not affect the virulence of the malware. EPP still caught the malware while the other two products did not. EPP then protected all of the devices on the enterprise against this morphed strain of Zbot. SentinelOne calls this last action autoimmune protection.
Forensic analysis is very interesting on this tool. Geolocation allows determination of the geographic source of the infection and displays this on a world map. As forensic analysis is performed, based on the execution of the malicious code, a behavior map develops. This map shows such things as calling home, forking droppers and other system calls. The map has nodes that represent some action, such as forking a dropper. Clicking on that node will give detailed information about what happened. This analysis almost can be thought of as the story line of the malicious code's entry into the infected system and subsequent execution. Because it treats every infection as a zero-day, there is no missing of malicious code or generating false positives.
The main dashboard is reminiscent of other typical dashboards of the type seen routinely on similar enterprise-class products. It is clean, straightforward and has excellent drill-down. Metrics are displayed across the top where the administrator can tell at a glance the status of the enterprise.
This is another tool that treats threats against the endpoints as malware events. This is reasonable since malware is prevalent in a large percentage - though not all - attacks against endpoints. Subsequent data exfiltration also is usually the result of malware, whether acquired by the victim or placed by the attacker as part of the breach. In this case, though, the tool doesn't care if the malware involved is known or not, solving the bulk of zero-day problems that pose the greatest challenge to many anti-malware products. Currently, EPP provides next-generation anti-malware and anti-exploitation, instant autoimmune real-time forensics and SIEM integration (for alerting) functionality. Additionally, it boasts cloud intelligence-based reputation checking, prevention and instant indicator searching. Next up are remediation and a move into the Linux arena.
If you choose to deploy EPP on site you'll need an Ubuntu server. Basic support is included with the product, which includes reversing one sample of malicious code per month in addition to the normal detection and analysis of attacks. There also is an extra cost premium support service available. The website and documentation are solid as well. The premium support package allows up to five samples per month, and the response time never exceeds two hours. Premium support offers four health checks per year while the basic package offers one.