SES Evolution 2.3.1 new features and enhancements

Improved pool protection

Built-in Yara scan tool

SES Evolution now integrates the Yara scan tool, which is based on rules that make it possible to detect binary or textual patterns in files or running processes. By recognizing known patterns, Yara identifies threats or attacks targeting workstations. The administrator can then set up remediation actions.

Yara scans can be launched when a security rule detects or blocks abnormal traffic, but you can also launched Yara scans manually at any time, to monitor one or several agents on demand. These scans can also be scheduled by agent group, at regular intervals and for a specified duration.

Yara is an open-source tool with free online documentation that explains how to build rules. Depending on the current events, Stormshield will also provide Yara rules in order to detect potential new threats.

Find out more

Stormshield resources

Automatic updates of policies and rule sets

When a new version of SES Evolution is installed, it contains the most recent versions of built-in security policies and built-in rule sets. However, Stormshield may sometimes publish an update of any of these resources separately from a version to provide a quick antidote to new threats or a quick reaction to changes in third-party products. You can now easily access these updates from the console and choose to install them automatically. The icon allows you to access the new panel from which resources can be downloaded.

Resources are available by default on the Stormshield public server. You can also configure a local server of your choice if you work in an offline environment.

Detailed descriptions are given of the changes made in the new versions of policies and rule sets. These descriptions are available only in French and English.

Find out more

New protections

Parent PID Spoofing protection

The new protection against parent PID spoofing is available in the Threats tab of a protection rule set. It prevents hackers from starting programs that they would declare as children of arbitrarily chosen existing processes.

New shared rule sets II 901

The following rule sets have been added to the shared rule sets in the administration console. With these rules, sensitive information systems can be protected, in line with the French interministerial instruction no. 901 drafted by the ANSSI. These five rule sets are templates. To use them, adapt them to your environment by duplicating them in your policies.

II901 - Common application hardening template
II901 - Common device hardening template
II901 - Network client hardening template
II901 - Network server hardening template
II901 - USB decontamination station hardening template

In addition, the new shared rule sets below can be downloaded from your MyStormshield personal area or from the Stormshield public server:

Protection against malicious usage of LOLBIN

This protection set prevents hackers from using certain Microsoft LOLBIN binary files maliciously.

Block-list of known dangerous applications This protection set blocks the startup of known harmful applications identified by hash or by certificate
Monitoring of known dangerous or vulnerable drivers This audit rule set raises alerts when a known dangerous or vulnerable driver is loaded.

Find out more

Changes to existing rule sets

Some existing built-in rule sets have been modified. SES Evolution2.6.1 includes v2.3.2.2208a rule sets.

For details on these modifications, refer to Stormshield rule sets release notes in the Downloads menu in your Mystormshield personal area.

Refer to Recommendations to find out our recommendations with regard to implementing security policies.

Activity monitoring

Grouping of similar logs

When similar events occur on one or several agents, the generated logs are now displayed by group in the Agent logs menu of the administration console. In this way, there are considerably fewer lines of logs to read, and grouped logs can be easily distinguished from isolated logs. Many details are shown in log groupings, such as the dates and times of the first and last logs.

You can also add exceptions for all logs in a grouping by applying a single action.

Find out more

Google and VirusTotal search links from agent logs

In the details of an agent-generated log, which can be accessed from the Agent Logs menu of the administration console, two new links make it possible to check the maliciousness of each process involved, either on Google or the VirusTotal website.

Find out more

New information in system logs

System logs now indicate all changes made in the administration console with regard to agent groups and agent handlers.

Compatible Microsoft Windows versions

New compatibilities

SES Evolution now supports Windows Server Core 2012 R2, 2016, 2019 and 2022 operating systems for all its components except the administration console.

Security policies

Enabling Detection mode on policies and rule sets

SES Evolution now offers Detection mode for security policies and rule sets. When this mode is enabled, agents do not block operations, but instead, generate logs indicating the operations that would have been blocked by a rule. This allows you to easily test security policies or rule sets on a pool before using them in a production environment and without disrupting users, so that you can measure the impact of restrictions and make adjustments accordingly.

You can enable Detection mode on an entire policy in the agent group settings, or on individual rule sets in a policy.

Find out more

Removable Devices

Filtering USB devices at startup

Security rules that make it possible to monitor the use of USB devices now apply as soon as a workstation starts up, before the Windows session opens.

Find out more

Administration console

Contextual help

Context-relevant sections of the SES Evolution solution documentation can now be accessed from the panels in the administration console.

Versions of rule sets and advanced protections

When a policy uses rule sets or advanced protections that are not in their most recent versions, a new visual indicator now appears in the console. A button on the row of such a rule set makes it possible to easily update the set.

Find out more

Using the dashboard

You can now browse from the dashboard to the various panels of the console by using several links spread out over graphs, icons and text segments in the dashboard.

Find out more

Copying and pasting rules

Rules can be copied and pasted between rule sets of the same type (audit or protection) and between policies.

Duplicating agent groups

Existing agent groups can be duplicated in the administration console to create a new group. While the duplicated group keeps all the settings of the original group, it does not contain any agents.