Capture Client Protecting Assets with Security Policies
Threat Protection Policies
Threat Protection policy is one of the security policies that Capture Client offers. To view the Threat Protection policies, navigate to Policies > Threat Protection. The Threat Protection page lists the POLICY MODE OPTIONS, PROTECTION & CONTAINMENT OPTIONS, ENGINE SETTING, and ADVANCED SETTINGS.
To define the threat protection policy
-
Navigate to Policies > Threat Protection.
- If you want to configure a custom threat protection policy for a tenant, disable Inheritance.
- In the POLICY MODE OPTIONS section:
Set the Policy Mode or mitigation mode for threats and suspicious activities. The available mitigation modes are: Detect (Alert Only), Protect (Kill & Quarantine), or Capture ATP (Auto Mitigate).
Detect—Detects a potential threat, suspicious activities and reports it to the management console. Execution of threats known to be malicious by the SentinelOne Cloud Intelligence Service or on the blacklist will be blocked.
Protect—Detects a potential threat, reports it to the management console, and immediately performs the configured Mitigation Action to mitigate the threat. To understand protection and options available for Protect mode, see step b.
Capture ATP—To let Capture ATP analyze suspicious activities and take necessary action based on the Capture ATP settings.
Capture ATP (Auto-mitigation) Protect Detect (Alert Only) Set the action to take if Capture ATP returns a Malicious Verdict:
You have an option to enable the setting that ensures Capture Client to kill the process and block access to the file until a verdict is delivered.
- Mark as Threat —Automatically quarantines the file, marks it as a threat, and performs the corresponding mitigation action.
- Detect (Alert only)
When Protect is selected, the Mitigation Action is automatically set to Kill & Quarantine. This stops processes, encrypts the executable, and moves it to a confined path.
If a threat is known, the Agent automatically kills the threat before it can execute. The only mitigation action here is Quarantine.
Detects a potential threat and reports it to the management console. Execution of threats known to be malicious by the SentinelOne Cloud Intelligence Service or on the blacklist will be blocked. Set the action to take if Capture ATP returns a Not Malicious Verdict:
- Detect (Alert only)
- Mark as Benign
Set the action to take if Capture ATP returns a Not Undetermined Verdict:
- Detect (Alert only)
- Mark as Threat
- Contain
- In the PROTECTION & CONTAINMENT OPTIONS section:
Set the protection level. The available protection options are: Kill & quarantine, Remediate, or Rollback.
If you selected Detect for the Mitigation Mode, the Mitigation Action field is hidden since there are no actions for that option.
- Select Disconnect from Network If you want to automatically put a device in network quarantine when an active threat is detected. All of the agent's network connections will be blocked except to the management console. Devices will not be disconnected if a threat is detected pre-execution by the Reputation or Deep File Inspection engines, because the threat is not active.
-
In the ENGINE SETTINGS section:
Engine Type Definition Reputation This engine uses the SentinelOne Cloud to make sure that no known malicious files are written to the disk or executed. This option cannot be disabled. Documents, Scripts This is a behavioral AI engine on Windows devices that focuses on all types of documents and scripts. Lateral Movement This is a behavioral AI engine on Windows devices that detects attacks that are initiated by remote devices. Anti-Exploitation/Fileless This is a behavioral AI engine focused on exploits and all fileless attack attempts, such as web-related and command line exploits. Potentially unwanted applications This is a static AI engine on macOS devices that inspects applications that are not malicious, but are considered unsuitable for business networks. Intrusion Detection This is a behavioral AI engine on Windows devices focused on insider threats such as malicious activity through PowerShell or CMD. DFI (Deep File Inspection) This is a preventive static AI engine that scans for malicious files written to the disk. DFI (Deep File Inspection) - Suspicious This engine is a more aggressive static AI engine on Windows devices that scans for suspicious files written to the disk. When in Protect mode, this engine is preventive. DBT (Dynamic Behavior Tracking) Executables This is a behavioral AI engine that implements advanced machine learning tools. It detects malicious activities in real-time, when processes execute. -
In the ADVANCED SETTINGS section, click Manage Settings and configure the following:
Device Configuration Options Definiton Scan new agents Enables a disk scan on the endpoint after installation. It runs a full disk scan using its Static AI engine, identifying any pre-existing malicious files and mitigating them based on the defined policy. Anti Tamper Does not allow end users or malware to manipulate, uninstall, or disable the client. Best practice is to keep this enabled. Agent UI Enables the SentinelOne client interface on the endpoint. This should be disabled by default as it is redundant with the Capture Client interface. Snapshots Sets Windows devices to keep Volume Shadow Copy Service (VSS) snapshots for rollback. If disabled, rollback is not available. Best practice is to keep this enabled. Logging Saves logs for troubleshooting and support. Best practice is to keep this enabled.
Was This Article Helpful?
Help us to improve our support portal