SES Evolution 2.3.1 new features and enhancements
Improved pool protection
Built-in Yara scan tool
SES Evolution now integrates the Yara scan tool, which is based on rules that make it possible to detect binary or textual patterns in files or running processes. By recognizing known patterns, Yara identifies threats or attacks targeting workstations. The administrator can then set up remediation actions.
Yara scans can be launched when a security rule detects or blocks abnormal traffic, but you can also launched Yara scans manually at any time, to monitor one or several agents on demand. These scans can also be scheduled by agent group, at regular intervals and for a specified duration.
Yara is an open-source tool with free online documentation that explains how to build rules. Depending on the current events, Stormshield will also provide Yara rules in order to detect potential new threats.
Automatic updates of policies and rule sets
When a new version of SES Evolution is installed, it contains the most recent versions of built-in security policies and built-in rule sets. However, Stormshield may sometimes publish an update of any of these resources separately from a version to provide a quick antidote to new threats or a quick reaction to changes in third-party products. You can now easily access these updates from the console and choose to install them automatically. The icon allows you to access the new panel from which resources can be downloaded.
Resources are available by default on the Stormshield public server. You can also configure a local server of your choice if you work in an offline environment.
Detailed descriptions are given of the changes made in the new versions of policies and rule sets. These descriptions are available only in French and English.
Parent PID Spoofing protection
The new protection against parent PID spoofing is available in the Threats tab of a protection rule set. It prevents hackers from starting programs that they would declare as children of arbitrarily chosen existing processes.
New shared rule sets II 901
The following rule sets have been added to the shared rule sets in the administration console. With these rules, sensitive information systems can be protected, in line with the French interministerial instruction no. 901 drafted by the ANSSI. These five rule sets are templates. To use them, adapt them to your environment by duplicating them in your policies.
|II901 - Common application hardening template|
|II901 - Common device hardening template|
|II901 - Network client hardening template|
|II901 - Network server hardening template|
|II901 - USB decontamination station hardening template|
In addition, the new shared rule sets below can be downloaded from your MyStormshield personal area or from the Stormshield public server:
|Protection against malicious usage of LOLBIN||
This protection set prevents hackers from using certain Microsoft LOLBIN binary files maliciously.
|Block-list of known dangerous applications||This protection set blocks the startup of known harmful applications identified by hash or by certificate|
|Monitoring of known dangerous or vulnerable drivers||This audit rule set raises alerts when a known dangerous or vulnerable driver is loaded.|
Changes to existing rule sets
Some existing built-in rule sets have been modified. SES Evolution2.3.1 includes v188.8.131.528a rule sets.
For details on these modifications, refer to Stormshield rule sets release notes in the Downloads menu in your Mystormshield personal area.
Refer to Recommendations to find out our recommendations with regard to implementing security policies.
Grouping of similar logs
When similar events occur on one or several agents, the generated logs are now displayed by group in the Agent logs menu of the administration console. In this way, there are considerably fewer lines of logs to read, and grouped logs can be easily distinguished from isolated logs. Many details are shown in log groupings, such as the dates and times of the first and last logs.
You can also add exceptions for all logs in a grouping by applying a single action.
Google and VirusTotal search links from agent logs
In the details of an agent-generated log, which can be accessed from the Agent Logs menu of the administration console, two new links make it possible to check the maliciousness of each process involved, either on Google or the VirusTotal website.
New information in system logs
System logs now indicate all changes made in the administration console with regard to agent groups and agent handlers.
Compatible Microsoft Windows versions
SES Evolution now supports Windows Server Core 2012 R2, 2016, 2019 and 2022 operating systems for all its components except the administration console.
Enabling Detection mode on policies and rule sets
SES Evolution now offers Detection mode for security policies and rule sets. When this mode is enabled, agents do not block operations, but instead, generate logs indicating the operations that would have been blocked by a rule. This allows you to easily test security policies or rule sets on a pool before using them in a production environment and without disrupting users, so that you can measure the impact of restrictions and make adjustments accordingly.
You can enable Detection mode on an entire policy in the agent group settings, or on individual rule sets in a policy.
Filtering USB devices at startup
Security rules that make it possible to monitor the use of USB devices now apply as soon as a workstation starts up, before the Windows session opens.
Context-relevant sections of the SES Evolution solution documentation can now be accessed from the panels in the administration console.
Versions of rule sets and advanced protections
When a policy uses rule sets or advanced protections that are not in their most recent versions, a new visual indicator now appears in the console. A button on the row of such a rule set makes it possible to easily update the set.
Using the dashboard
You can now browse from the dashboard to the various panels of the console by using several links spread out over graphs, icons and text segments in the dashboard.
Copying and pasting rules
Rules can be copied and pasted between rule sets of the same type (audit or protection) and between policies.
Duplicating agent groups
Existing agent groups can be duplicated in the administration console to create a new group. While the duplicated group keeps all the settings of the original group, it does not contain any agents.