Skip to content

EndPoint Protection (EPP)

The Endpoint Protection (EPP) feature of the SenseOn Universal Sensor is a sophisticated protection capability designed to detect and automatically block a wide range of threats on your endpoints. By leveraging real-time scanning, blocking, and quarantining capabilities, EPP actively prevents malicious files and processes from compromising your systems. Utilising advanced threat intelligence, heuristics, and machine learning algorithms, it offers a multi-layered endpoint protection against a wide array of cyber threats, including malware, ransomware, and zero-day attacks.

Independent testing has proven the ability of SenseOn’s EPP to minimise false positives and software conflicts. However, as with all software, it is crucial for IT departments to conduct thorough testing and phased rollouts to ensure compatibility and effectiveness within their unique IT environments. This document provides best practices and recommendations for integrating the EPP feature safely across your IT estate.

Pre-Deployment Preparation

1. Assessment and Planning

  • Inventory your assets: understand the scope of your IT environment. Catalogue all devices, operating systems, and applications that will interact with the EPP feature.
  • Identify critical systems: prioritise systems based on their criticality to business operations. This will help in devising a phased rollout plan.

2. Compatibility Checks

Software compatibility: verify that the EPP feature is compatible with existing software applications and operating systems within your environment.

💡 Note: Full EPP is currently available for devices running Windows 8.1, Window Server 2012 R2, or later. A basic version of the file-scanning (not in-memory protection) is available on macOS 14 (Sonoma) or later. A description of this is available below.

Feature Windows (8.1+) MacOS (Sonoma+)
Full On-Access File Scanning.
Scans files being accessed by users of endpoint devices, taking advantage of our market-leading threat intelligence and detection engine.		 ✅ ❌
Limited On-Access File Scanning.
Scans files being accessed by users of endpoint devices using basic threat intelligence and detection engine.		 Not required ✅
Automated File Quarantine.
Quarantines malicious files and moves them to a secure location on the device, concealed from the endpoint user.		 ✅ ❌
Automated File Blocking.
Blocks access to malicious files, which remain visible to the endpoint user. Notifies the user that the file they are accessing is blocked, and to contact IT support.		 Not required ✅
Process Protection.
Identifies process-based malware, attempted exploits, and attacks by monitoring the systems memory space.		 ✅ ❌
  • Hardware requirements: ensure that all endpoint devices meet the minimum specifications required for optimal EPP performance.

💡 Minimum version: v6.9.0 is the minimum version of the SenseOn Universal Sensor required to run EPP. This can be checked in Digital Estate > Devices > EPNS

3. EPP Configuration

  • Tailor the EPP policies to balance security needs and business operations. Consider creating exceptions for trusted applications to reduce false positives. To do this, you will first need to create segments in order to define configuration for given devices.

💡 Segment creation: To create a segment go to Settings > Device Segments > Create New Segment

Create a new segment option in SenseOn interface

  • Once you have created the segment to which you wish to apply an EPP configuration, you can apply the settings for Antimalware (File-based real time scanning) and Process Protection (memory-based protection).

💡 Apply Configuration: To apply a configuration, go to Device Configuration and select the segment you wish to apply the settings to. Click edit to change a setting.

Edit options for a segment in SenseOn UI

Configuring Antimalware (File-based scanning, quarantine and removal)

Within the Antimalware settings, you have the option to turn the feature on/off; configure the response automation settings; add alerting exclusions; and add response exclusions.

  • To turn the feature on, change the setting pictured below to On.

EPP Turn On

The Protection level setting enables users to adjust the extent to which the system takes action on the user’s behalf. The 3 settings available include:

  • Respond. EPP will automatically quarantine scanned Windows devices which are deemed to be malicious, and block access to files deemed to be malicious on MacOS devices.
  • Alert. EPP will alert for malicious files found on both Windows and MacOS devices. It will NOT automatically block or quarantine these files. This can be done manually by the user upon review.
  • Compatibility. Similar to the Alert setting, but this mode of EPP can be used alongside other AntiVirus products without risk of interference.

⚠ Warning: Do not enable EPP in Respond or Alert mode if you have another AntiVirus product running on the device.

EPP enable response mode

  • Alert Exclusions provides the ability to reduce potential false positives by creating rules to avoid alerts being generated. The variables for these rules include the file path and/or file hash of a file attempting to be accessed (for specific files you do not wish to be alerted to) or the process accessing files (for more widespread processes which should be allowed to access files).

EPP Alert Exclusions

Configuring Process Protection (in-memory process scanning & termination)

Within the Process Protection settings, you have the option to turn the feature on/off; configure the response automation settings; add alerting exclusions; and add response exclusions.

  • To turn the feature on, change the setting pictured below to on.

Enable real time process protection

  • The Sensitivity setting applies the degree to which the EPP feature will prioritise increased likelihood of false positives to false negatives. High sensitivity will reduce the risk of a true threat being missed, but increase false positives. Low sensitivity will reduce false positives but increase the risk of a true positive being missed. We recommend applying the medium setting to reduce risk whilst also reducing the likelihood of false positives.

EPP Sensitivity settings

  • Monitoring Exclusions enables users to specify processes they wish to be excluded from monitoring. These will not be scanned and will be allowed access across all devices within the segment.

EPP Monitoring Exclusions

  • Termination Exclusions enables users to specify processes they wish to be excluded from automatic termination. If scanned and found to be malicious, they will not be automatically terminated. This applies across all devices within the segment.

EPP Termination Exclusions

  • Test Your Policies: Validate policies in a controlled environment to ensure they work as intended without disrupting legitimate activities.

Phased Deployment Strategy

1. Pilot Testing

  • Select pilot group: choose a small, representative sample of your IT environment, including various types of devices and systems.
  • Monitor and adjust: closely monitor the pilot deployment for any issues or disruptions. Adjust configurations as necessary to minimise impact.

2. Phased Rollout

  • Segment your rollout: divide your IT estate into manageable segments. Consider starting with non-critical systems before moving to more critical ones. Refer to the above instructions on how to do this.
  • Schedule rollouts: plan your rollouts during low-activity periods to mitigate potential disruptions to business operations.

3. Continuous Monitoring

  • Real-time monitoring: utilise the EPP’s real-time monitoring capabilities to detect and respond to threats swiftly.
  • Review and refine: regularly review the performance and effectiveness of the EPP feature. Refine policies and configurations based on operational feedback and emerging threats.

Post-Deployment

1. User Training

  • Educate end-users: conduct training sessions to educate end users about the EPP feature, its benefits, and any changes to their workflow.

2. Documentation and Support

  • Maintain documentation: keep detailed records of configurations, policies, and any exceptions. This documentation will be invaluable for troubleshooting and future audits.
  • Leverage support: utilise SenseOn’s support resources for any technical challenges or questions that arise during or after deployment.

3. Regular Updates and Maintenance

  • Apply updates promptly: regularly update the Universal Sensor to ensure protection against the latest threats. Schedule updates during off-peak hours to reduce business impact.

Conclusion

Implementing the SenseOn Universal Sensor EPP feature across your IT estate requires careful planning, testing, and monitoring to ensure its effectiveness and compatibility. By following the best practices outlined in this document, you can achieve a balance between robust security and uninterrupted business operations.