Endpoint Requirements
Operating Systems
- Windows 8.1 and later desktop versions (64 bit)
- Windows Server 2012 R2 and later server versions (64 bit)
- Ubuntu Linux 18.04+ (64 bit)
- CentOS/RedHat 7+ (64 bit)
- Intel & M-Series Based MacOS Catalina (10.15) or higher
Non-supported systems: Other Linux operating systems may be functional, but are not officially supported. Network telemetry will require eBPF support in the Linux kernel; if this is not available, process telemetry will still be collected.
Operating System Feature Differences
We aim for feature parity across all our platforms whenever possible. However, due to technical constraints and the complexity of building features for different environments, simultaneous releases may not always be feasible. The table below explains the state of features across each platform.
Feature | Windows | macOS | Linux |
---|---|---|---|
Network Detection and Response (NDR) | Yes | Yes | Yes |
Endpoint Detection and Response (EDR) | Yes | Yes | Yes |
Endpoint Protection (EPP) | Yes | Yes | No |
Active Response | Yes | Soon | Yes |
Reflex | Yes | No | No |
Impact on CPU/RAM
The performance of the endpoint agent will change depending on which modules are loaded.
-
With NDR and EDR features enabled but Endpoint Protection disabled:
- Average CPU: <1% (depending on device type and hardware)
- Average memory use: ~ 25 / 30 MiB
-
With NDR, EDR, and Endpoint Protection features all enabled:
- Average CPU: <5% (depending on device type and hardware)
- Average memory use: ~ 450 / 500 MiB
Turning features on or off: Product features can be turned on or off by creating a segment and changing the configuration applied to that segment.
Network Requirements
Bandwidth
28 kilobits per second (~300 MiB in 24 hours), depending on device activity and workload.
Data Latency: Data is ingested into the platform in real-time. There may be a delay of no greater than tens of seconds while data is analyzed before it is presented in the user interface. This delay will not affect the instant execution of automatic actions by the EPP.
Connectivity Requirements
Endpoint sensors using the cloud-hosted analysis platform will communicate to the following domains.
Specific domains: Specific domain names can be provided for your tenant if required. These can be provided by contacting support.
Domain Name | Purpose |
---|---|
*.snson.net |
Endpoint agent telemetry and active response sessions. |
avmirror.snson.net |
Antivirus updates used by EPP. Included in wildcard above. |
*.s3.amazonaws.com |
Uploads/Downloads during active response and crash dumps. |
seev4.s3.amazonaws.com |
Endpoint agent updates. Included in wildcard above |
IP addresses: The IP address used for endpoint agent callbacks will remain static unless the tenant's region is changed. The IP addresses at
*.s3.amazonaws.com
are dynamic and can only be filtered using domain names.
TLS Interception
Endpoint sensors will use Mutual TLS 1.2+ to communicate with the analysis platform. If TLS interception is used, a bypass will need to be put in place for *.snson.net
.
Golden Images
The SenseOn installation generates a unique ID upon installation. If deploying using a 'golden image', the endpoint agent should be configured to generate a unique installation ID the next time the service is started. Therefore, before sealing your golden image, please do the following:
- Windows: Delete the file in
C:\Program Files\senseon-see\precise.uuid
- Debian/CentOS: Delete the file in
/etc/senseon-see/precise.uuid
- macOS: as root, delete the file
/var/senseon-see/precise.uuid
Proxy Configuration
The endpoint sensor supports TLS pass-through HTTPS proxy, which can be enabled by deploying a JSON file in the specified path. Configuration details are provided below.
Windows
- Stop the endpoint sensor service.
- Open
Start
by clicking the Windows symbol on the bottom left corner or by pressing the Windows Key on your keyboard. - Search for
Services
(orservices.msc
) and click the top result to open the console. - Double-click the service called
senseon-seed
. - Click the
Stop
button. - Confirm the service is stopped by checking the list of services.
- Open
- Navigate to
C:\ProgramData\senseon-see\
(to seeC:\ProgramData
and other hidden folders go to File Explorer → View and click onShow hidden files and folders
) - Open or create a new file:
C:\ProgramData\senseon-see\proxy.json
- Write the following line into the file and change the host and port fields accordingly:
{"proxy_host": "127.0.0.1", "proxy_port": 8118}
- Save the file.
- Start the endpoint sensor service.
- Open
Start
by clicking the Windows symbol on the bottom left corner or by pressing the Windows Key on your keyboard. - Search for
Services
(orservices.msc
) and click the top result to open the console. - Double-click the service called
senseon-seed
. - Click the
Start
button. - Confirm the service is stopped by checking the list of services.
- Open
Linux
- Stop the endpoint sensor service using the command
systemctl stop senseon-seed
- Navigate to
/var/senseon-see
- Open or create a new file:
/var/senseon-see/proxy.json
- Write the following into the file and change the host and port fields accordingly:
{"proxy_host": "127.0.0.1", "proxy_port": 8118}
- Save the file.
- Start the endpoint sensor service using the command
systemctl start senseon-seed
macOS
- Stop the endpoint sensor service using the command
systemctl stop senseon-seed
. - Navigate to
/var/senseon-see
- Open or create a new file:
/var/senseon-see/proxy.json
- Write the following into the file and change the host and port fields accordingly:
{"proxy_host": "127.0.0.1", "proxy_port": 8118}
- Save the file.
- Start the endpoint sensor service using the command
systemctl start senseon-seed
.