Capture Client - System Requirements
09/09/2024 69 People found this article helpful 465,128 Views
Description
Capture Client is a comprehensive endpoint security solution that protects Windows and macOS devices. It is administered from the SonicWall Cloud Management Console, a cloud service requiring only a web browser and an internet connection.
Resolution
Hardware
To install Capture Client on a Windows PC or Mac, the device must meet the following hardware requirements:
Specification | Minimum | Recommended |
CPU Requirements | 1 GHz or better | Dual-Core Processor |
Memory Requirements | 1 GB RAM or more | 2 GB RAM or more (Windows), 2 GB RAM (Mac) |
Storage Requirements | 2 GB free disk space 10% of disk for VSS snapshots (for each drive) | 3 GB recommended 10% of disk for VSS snapshots (for each drive) |
General Agent Requirements
- CPU micro-architectures such as x86_32, ARM, RISC, and MIPS are not supported.
- If you use PAN-OS 8.1 (Palo Alto Networks), you must manually add SentinelOne as an approved application.
Operating Systems
Capture Client Management Console supports endpoints (PCs, laptops, tablets, and other devices) running the following operating systems. Capture Client's advanced threat protection is powered by SentinelOne, and the SentinelOne agent is automatically installed and configured according to the Threat Protection security policy. The recommended SentinelOne agent version is listed below.
Windows Operating Systems
Operating System | Version | Capture Client | SentinelOne Agent | Sentinel Agent (EOS/EOL) |
Windows Server | 2022 2019 2016 2012 R2, 2012 2008 R2 SP1 | 3.9.0 or Later | 23.4.4.223 or Later | 22.3 |
Windows 11 | 64-bit | 3.9.0 or Later | 23.4.4.223 or Later | 22.3 |
Windows 10 | 64-bit & 32-bit | 3.9.0 or Later | 23.4.4.223 or Later | 22.3 |
Windows 8 | Version 8, 8.1 on 32-bit and 64-bit | 3.9.0 or Later | 23.4.4.223 or Later | 22.3 |
Windows 7 | Version 7 SP1 on 32-bit and 64-bit | 3.9.0 or Later | 23.4.4.223 or Later | 22.3 |
NOTE: All agents running on Windows that are supported according to SentinelOne’s life cycle are tested for compatibility with each Windows 10 Redstone release. Supported editions of Windows 7, 8, 8.1 and 10 include Home, Pro, Pro for Workstations, Enterprise, Education, Pro Education, and Enterprise LTSC. Core and Mobile editions are not supported. We have extended our support of CC agent on Windows 7 but we strongly advise that you migrate your endpoints to Windows 10, since it offers better security architecture than Windows 7, and the Agent on Windows 10 supports enhanced security features.
CAUTION: On Windows 11 22H2, after the Agent upgrade or installation, the Agent UI might not work until you reboot the endpoint after you install or upgrade the Agent. This is caused due to a known issue on Microsoft Windows 11 22H2. If you use the Agent UI and the endpoint is on Windows 11 22H2, we recommend rebooting after installing or upgrading the Agent.
TIP: This issue is solved in Windows Agent versions 22.1.5+ and 22.2.3+. Windows Agents 22.1.5+ and 22.2.3+ support Windows 11 22H2.
Windows Agent Dependencies
Installation | Notes |
Windows Defender | You should consider uninstalling Microsoft Defender Antivirus on Windows Server 2016 or 2019 to prevent interoperability issues. On Windows 10, when the Agent registers to the Windows Security Center, SentinelOne becomes the primary Virus and Threat protection, instead of Windows Defender unless a policy override change is made to allow Defender. In Windows 7, 8, and 8.1, the SentinelOne Agent registers to the Windows Security Center along with Windows Defender. SentinelOne does not become primary. You should consider uninstalling Microsoft Defender Antivirus. |
.NET Framework 4.7.2 and later | |
On Windows 10 and Windows Server 2016, install Microsoft KB4093119, to make sure old logs in ProgramData\Sentinel\logs are deleted. | An endpoint should have only 16 log files, taking up no more than 1.6 GB. |
On Windows 7, Windows 7 Service Pack 1 (SP1), Windows Server 2012, and Windows Server 2008 R2 SP1, install the update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP and add the Registry subkey, as shown in the article. | SentinelOne Management-Agent communication uses TLS 1.2. This is not supported by default in Windows 7. You must install this update and add the registry subkey, as shown in the article. |
KB3033929 (SHA2) - Security Update for Windows 7 SP1 and Windows Server 2008 R2 | This security update must be installed on Windows 7 SP1 and Windows Server 2008 R2 SP1 to meet the minimum requirements for the installer. |
KB2758857 for Windows 7 and Windows Server 2008 R2 OR KB2533623 and KB4457144 - Security updates for Windows 7 SP1 and Windows Server 2008 R2 | After you install this update, you must restart the endpoint and run the Agent installation again. |
Microsoft Windows Volume Shadow Copy Service (VSS) | Configure VSS before you install the Agent.The Agent fills the available amount of VSS, typically 10% of the SYSTEM Drive. Refer to this KB article. |
GPO Privileges | The administrator who runs Agent installation through group policy must have to RESTORE and TAKE OWNERSHIP privileges to prevent an installer crash. |
Windows Event Log | The Windows Event Log service must be enabled before you install the Agent. |
GPO Chrome Extensions | The SentinelOne Chrome extension is part of the Agent installation. When you install or upgrade the Windows Agent with GPO, Chrome extensions must be enabled. |
Windows Root Certificates | Update Windows Root Certificates. If you do not, it could lead to invalid signature errors. |
Azure Code Signing (From Agent version 22.3+) | If the endpoint does not get Windows updates, you must install KB5022661 because SentinelOne installation package is signed using a Microsoft Controlled Root Certificate. |
DigiCert | If the endpoint does not get Windows updates, you must manually install DigiCert for the Agent to communicate with the Management. |
Windows Services set to Automatic | -Base Filtering Engine Service -Windows Update Service |
Required Windows Administrator Permissions
- The Windows Agent installer works on supported Windows endpoints with default settings. If your environment is hardened with specific changes, the installer might fail or crash. Make sure your environment fulfills these requirements for a successful installation.
- The Windows Agent installation requires Administrator permissions, with write permissions to C:\Users\Public\Documents and C:\ root. Install only as an Administrator, whether local, remote, GPO, or other.
- The Agent Anti-Tampering process restores and takes ownership of files during installation. The user running the installation must have Restore and Take Ownership privileges (default for Windows Administrator).
- The Agent Installer adds a trusted publisher to the machine certificate store that signs the PowerShell profile script of its PowerShell Protection. The local Administrator user must have privileges to install trusted publisher certificates.
- The Agent Installer creates a backup of the ELAM driver in the ELAM backup directory, ELAMBKUP, configured in the system registry. This directory must exist.
- The Agent installs drivers to the Program Files directory. The Program Files directory must be on the system boot volume.
- The Windows System user is required. Do not delete it!
- The Windows Management Instrumentation (WMI) Service (winmgmt) is required.
MAC Operating Systems
MacOS Operating System Version | MacOS Name | Capture Client Version | SentinelOne Agent Version | Sentinel Agent (EOS) |
14.6.1 | Sonoma | 3.9.0 or Later | 23.3.2 or Later | |
14.6 | 3.9.0 or Later | 23.3.2 or Later | |
14.2, 14.2.1, 14.3, 14.3.1, 14.4, 14.4.1, 14.5 | 3.9.0 or Later | 23.3.2 or Later | 23.2.6+ |
14.0, 14.1, 14.1.1, 14.1.2 | 3.9.0 or Later | 23.3.1 or Later | 23.2.2+ |
13.6.9 | Ventura | 3.9.0 or Later | 23.3.2 or Later | |
13.6.8 | 3.9.0 or Later | 23.3.2 or Later | |
13.6.3, 13.6.4, 13.6.5, 13.6.6, 13.6.7 | 3.9.0 or Later | 23.3.2 or Later | 23.2.6+ |
13.5.1,13.6,13.6.1 | 3.9.0 or Later | 23.3.1 or Later | 23.2.1+ |
13.3, 13.3.1, 13.3.1(a), 13.4,13.4.1,13.5 | 3.9.0 or Later | 23.3.1 or Later | 23.2.1+ |
13.2, 13.2.1 | 3.9.0 or Later | 23.3.1 or Later | 23.2.1+ |
13.0, 13.1 | 3.9.0 or Later | 23.3.1 or Later | 23.2.1+ |
12.7.6 | Monterary | 3.9.0 or Later | 23.3.2 or Later | |
12.7.2, 12.7.3, 12.7.4, 12.7.5 | 3.9.0 or Later | 23.3.2 or Later | 23.2.6+ |
12.7.1 | 3.9.0 or Later | 23.3.2 or Later | 23.2.3+ |
12.7 | 3.9.0 or Later | 23.3.1 or Later | 23.2.1+ |
12.6.1-12.6.8 12.4-12.6 12.2-12.3.1 12.0-12.1 | 3.9.0 or Later | 23.3.1 or Later | 23.2.1+ |
Note : Supports both Apple M1 Silicon and Intel chipset Mac Endpoints.
Linux Operating Systems
- The Linux Agent supports SELinux in Permissive and Enforcing modes.
- All Cloud providers (such as GCP, Azure, AWS) support installation of the Linux Agent on instances that fulfill the system requirements.
- The Linux Agent is compiled with a 64-bit kernel and libraries. It supports Intel x86_64 compatible architecture and x64 hardware.
- The Linux Agent does not support
- 32-bit architecture
- CPU micro-architectures such as ppc64, x86_32, RISC, MIPS
- or UNIX OS versions such as FreeBSD, AIX, Solaris.
- The Linux Agent can be installed on Desktops and Servers of the supported distributions, of new kernel versions only (for example: Oracle 6.9 kernel-uek-4.1.12-61*).
- Major cloud providers support installation of the Linux Agent on instances that meet the system requirements.
- Supported with ECS Anywhere. For more information see Containerized Workloads in AWS.
Limitations of Older Kernels:
- Kernels lower than 2.6 (build 2.6.32-358) - Not supported.
- Kernels lower than 3.8 - Static AI and Reputation engines are not triggered on new files written to disk, but they do work from Full Disk Scan. Deep Visibility File Modification and Network Action event types are not supported.
- Kernels lower than 3.10 - Containers are not supported.
- Kernels lower than 3.11 - Static AI cannot analyze files as they are written to a container. The Agent analyzes these files when the files are executed.
- Kernel version 4.18.0-147 on RHEL 8.1, a soft lockup might occur when the Agent uses eBPF. The issue is resolved in RHEL-8.2 with a newer kernel.
- The Agent does not support systems with Kernel Lockdown set to Confidentiality. For example, Fedora 31 kernel 5.3.7 default Kernel Lockdown was "Confidentiality" which is not supported. Fedora 31 kernel 5.5.x default is "Integrity", which is supported.
Operating System | Version | SentinelOne Agent |
Azure Linux (formerly CBL-Mariner) | Azure Linux (formerly CBL-Mariner) | 23.3 or Later |
Amazon Linux | Amazon Linux 2023.3 | 23.2 or Later |
Amazon Linux 2023.1, 2023 | 23.1 or Later |
Amazon Linux 2, AMI 2018, AMI 2017 | 22.3 or Later |
Red Hat Enterprise Linux (RHEL) | Red Hat Enterprise Linux (RHEL) 9.3, 9.2, 8.9 | 23.3 or later |
Red Hat Enterprise Linux (RHEL) 8.8 | 23.1 or Later |
Red Hat Enterprise Linux (RHEL) 9.1, 9.0, 8.7- 8.0, 7.9 - 7.0, 6.10 - 6.4 | 22.3 or Later |
Ubuntu | Ubuntu 22.04.6 | 23.2 or Later |
Ubuntu 22.04, 20.04, 18.04, 16.04, 14.04 | 22.3 or Later |
CenOS | Centos Stream v9 | 23.2 or Later |
CentOS 8.4 - 8.0, 7.9 - 7.0, 6.10 - 6.4 | 22.3 or Later |
Oracle Linux (OL) / Oracle Enterprise Linux (OEL) | Oracle 9.3, 9.2 | 23.3 or Later |
Oracle 9.1, 8.8 | 23.1 or Later |
Oracle 9.0, 8.7-8.0, 7.9 - 7.0, 6.10, 6.9 | 22.3 or Later |
SUSE Linux | Enterprise Server 15.x, 12.x, 11.x | 22.3 or Later |
SUSE Linux Enterprise Server 15 Sp5 | 22.4 or Later |
Fedora | Fedora 38, 39 | 23.3 or Later |
Fedora 37, 36, 35 | 22.3 or Later |
Debian | Debian 12.4 | 23.2 or Later |
Debian 12.2, 12.1, 12 | 23.3 or Later |
Debian 11.9 | 23.4 or Later |
Debian 11.8, 11.7, 10.13 | 23.2 or Later |
Debian 11, 10, 9, 8 | 22.3 or Later |
Virtuozzo | Virtuozzo 7 | 22.3 or Later |
Scientific Linux | Scientific Linux 7, 6 | 22.3 or Later |
RockyLinux | RockyLinux 9.3, 9.2 | 23.3 or Later |
Rocky Linux 8.8 | 23.1 or Later |
Rocky Linux 9.1, 9.0, 8.7, 8.6, 8.5, 8.4 | 22.3 or Later |
Linux Minimum Hardware Requirements for Agent and for Endpoint Usage
Minimum for Managed Endpoint | Notes for Agent Requirements |
2 GHz Dual-core CPU | |
4 GB RAM | As per distro requirements. |
25 GB free disk space for OS | Make sure the endpoint size fits the requirements for logs, files, services, etc. |
2 GB | At least 2 GB in /opt/SentinelOne. Recommended is 3 GB. Make sure the endpoint meets the minimum disk space and partition requirements of the Linux distro it is running on. |
Instruction-supported CPU: SSE4_2 | Some virtual environments mask support for advanced CPU capabilities. See your VM vendor documentation. For example: VMWare article How to Override Masks Hyper-V article How to turn off processor compatibility mode |
Required Software
Dependencies: None on baseline distro installations.
If the Linux OS is customized:
rpm -qRp SentinelAgent_installerFileName.rpm
or
dpkg -I SentinelAgent_installerFileName.deb
Make sure these kernel flags are set to y:
CONFIG_KRETPROBES=y
CONFIG_KPROBES=y
CONFIG_FTRACE=y
Browser Levels
Based on the operating system you are using, the following browser levels are supported. These browser levels apply to the browser running the Cloud Management Console.
Browser Supported | Windows Server | Windows 11 | Windows 10 | Windows 8 | Windows 7 | Vista | Linux | macOS |
Edge Chromium (latest version) | Yes | Yes | Yes | | | | | |
Mozilla Firefox (version 52.5 ESR or later) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Google Chrome (latest version) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Apple Safari (latest version) | | | | | | | | Yes |
It is recommended that administrators also review SentinelOne Version availability with Capture Client before installation and upgrades.
Related Articles
Categories