SES Evolution 2.1 new features

New protections

Advanced protections

Advanced protections make it possible to protect your pool from malicious operations such as the theft of authentication credentials, malicious use of Windows tools, persistent techniques, etc.
Find out more

New built-in policy: Protection of backoffice components

A built-in security policy is now equipped to increase the security of SES Evolution backoffice components. This policy must be applied to agent groups that contain agent handlers, backends and the administration console.
In addition to the security features in the default policy, it includes several modular rule sets, each of which corresponds to a backoffice component. The policy consists of the following rule sets:

  • Audits of attack contexts,
  • Backend protection (new),
  • Agent handler protection (new),
  • Administration console protection (new),
  • Advanced protections (new),
  • Protection baseline.

Find out more

Changes to existing policies

The default policy has been enriched with new rule sets that provide advanced protections and protection from theft of sensitive information.

It now consists of the following rule sets:

  • Audits of attack contexts,
  • Advanced protections (new),
  • Data leak prevention (new),
  • Protection baseline.

When updating from SES Evolution 2.0.x to version 2.1, refer to the Recommendations to find out the steps to take with regard to policy updates.

New built-in rule sets

The following rule sets have been added:

Backend protection Protects the IIS application server (programs, settings, injection, etc.), database and SES Evolution Installation Center.
Agent handler protection Protects the agent handler (programs, settings, injection, etc.), database and SES Evolution Installation Center.
Administration console protection Protects the SES Evolution administration console (programs, settings, injection, etc.), database and SES Evolution Installation Center.
Advanced protections Unlike protections that react to a strong individual event, advanced protections react to a pattern of several weak events, which when combined, represent a threat.
Data leak prevention

Protects some specific applications used frequently in organizations, e.g., web browsers, file transfer tools, vaults, Windows security authorities and remote control tools. This protection mode covers unauthorized access to files, registry locations and keylogging attempts to deter the theft of sensitive assets.

Windows security authorities are also protected from interprocess access, which prevents the extraction of Windows passwords. Special attention is given to programs that allow external code to run (e.g., script engines, DLL loaders, etc.), so that their operations will always be blocked. Likewise, programs provided by default with Windows (LOLBIN) that allow indirect access to information, are blocked.

Windows Defender event forwarding Consolidates in the administration console security alerts of interest that Windows Defender raises on protected workstations in the SES Evolution pool. It is not included in built-in policies, so it must be added manually to your policies.

Changes to existing rule sets

The following rule sets have been modified:

Audits of attack contexts
  • Operations by programs that allow external code to run (e.g., script engines, DLL loaders, etc.) are now always logged, even when they are signed.
  • The list of certificates that the rule set recognizes has been enriched.
  • Rule severity levels have been revised so that no rule is below the agent group’s default threshold (Notice level being the lowest)
  • Advanced detection of ARP Spoofing has been added to this rule set to detect Man In The Middle attacks.
  • Optimization to minimize impact on system performance without compromising audit quality. This will also reduce the possibility of losing logs during intense activity.
Protection baseline

This rule set has been enriched and hardened:

  • Settings cannot be changed in safe mode,
  • BCD (Boot Configuration Data) is now protected,
  • Applications recognized as hacking tools have been enriched,
  • Script engines can no longer be run from browsers,
  • System configuration files (hosts, services and network) are now protected from unwanted changes,
  • Third-party programs are monitored and not allowed to run from MS Office applications,
  • Heuristic analysis of malicious data theft programs, based on the name of the accessed file, has been improved
  • Unsigned services are monitored and prevented from running.

Agent management

Agent groups based on Active Directory criteria

Agents can be automatically assigned to an agent group according to the Active Directory groups or organizational units to which they belong. This feature saves time and lowers the risk of error when creating agent groups.
Find out more

Uninstalling agents

You can now prevent the local administrator of a workstation from uninstalling the SES Evolution agent. In this case, the agent can still be uninstalled via a challenge.
Find out more

Agent filtering

New filters now make it possible to show the list of agents by criteria such as operating system, status, security policy, etc.
Find out more


A new diagram now appears in the dashboard of the administration console and shows the number of agents in the pool for each version of SES Evolution.
Find out more


Log retention in the database

The duration of log retention in the log database can be configured, either when SES Evolution is installed, or at any time through the new System menu in the administration console. When logs reach the end of their retention period, they will be deleted by a task that runs regularly.
Find out more

Versions of policies and rule sets

The versions of policies and rule sets are now better managed to optimize storage space in the administration database.
Find out more

Removable devices

The list of known USB devices (vendor and product) has been updated in the administration console.

Activity monitoring

Windows event monitoring

Windows events of your choice can be forwarded to SES Evolution so that security information about your environment can be displayed.
Find out more

Logging of user activity

User activity in the SES Evolution administration console is now logged through a full audit of operations performed.

Find out more

Backoffic component logs

A new menu in the administration console, System logs, shows the activity of agent handlers, backend servers and the SES Evolution administration console.
Find out more

OSSEC analysis engine

OSSEC rules can now be imported into security policies from the administration console. This allows agents to subscribe to text-based logs or Windows events, and report them as SES Evolution logs in the log database or an SIEM.
Find out more

Exporting to syslog servers

Logs can now be exported to several syslog servers and the export formats IDMEF and CEF have been added to facilitate their integration into your solutions.
Find out more