Local Configuration
All configuration options should be made from the configuration options available on the Device Configuration
page within the SenseOn platform. Local options should not be changed unless there are exceptional circumstances.
These options can overridden locally via the see.flags
configuration file located in the SenseOn installation directory. This local configuration covers the full range of options available through the SenseOn platform.
Alerts: If the
see.flags
file is accessed by an unknown process a security alert will populate in the platform.Different configuration option names: The names of the settings in the
see.flags
file may be different from those within the SenseOn platform.
Network Analysis
Whether the Universal Sensor processes network traffic.
--enable_epns=(true / false)
Reflex Host Isolation (Windows only)
Whether Reflex Host Isolation in response to ransomware is automatic or requires manual approval.
--reflex_response_mode=(manual / auto)
Auto Updates
Whether the Universal Sensor software should receive automatic updates.
--disable_update_check=(true / false)
Antimalware (Windows / macOS only)
Detect & block file based malware. Default actions can be customised using the options below.
--disable_antimalware=(true / false)
--antimalware_mode (dual_running / scan_only / scan_and_block)
scan_and_block
: Scans files and blocks access to them if they are found to be malicious. Recommended NOT to be used alongside other antimalware products with real-time scanning enabled.
scan_only
: Scans and alerts for detected malicious files but does not block access to them if they are found to be malicious. Recommended NOT to be used alongside other antimalware products with real-time scanning enabled.
dual_running
: Can be used alongside other antimalware products without risk of interference. Scans and alerts for detected malicious files but does not block access to them if they are found to be malicious.
Paths to be excluded from antimalware file scanning.
--onaccess_exclude_paths (comma-separated list of paths, with backslashes doubled, e.g. C:\\Program Files\\senseon-see)
Paths to be scanned without blocking (available only in scan_and_block
mode).
--onaccess_exclude_paths (comma-separated list of paths, with backslashes doubled, e.g. C:\\Program Files\\senseon-see)
Active Response (Windows / Linux only)
Activating this setting will enable select users to gain remote access to Windows and Linux endpoint devices, as well as quick isolation of Windows devices meaning they will no longer be able to send or receive network connections.
--enable_remeda=(true / false)
Endpoint crash reporting (Windows only)
Help improve endpoint performance by automatically sending endpoint crash reports to SenseOn and crash dump files to secure cloud storage for analysis by the Universal Sensor support team.
--enable_crash_dumps_retrieval=(true / false)
Disabling remote settings updates
It is possible to disable all remote settings updates via the --disable_settings
flag. Setting this flag will ensure that no remote configuration is possible even if a new setting is added in the future. When using this flag, the following default values will be used for the local agent configuration:
--enable_epns=true
--reflex_response_mode=manual
--disable_update_check=false
--disable_antimalware=true
--antimalware_mode=dual_running
--onaccess_exclude_paths=
--onaccess_scan_only_paths=
--enable_remeda=false
--enable_crash_dumps_retrieval=true
Note that the sensor must be restarted to for any changes to see.flags to take effect.
Scheduled Telemetry Collection
The SenseOn Universal Sensor runs a number of scheduled queries, sending telemetry to the platform at regular intervals. Normally, the sensor fetches this configuration from the platform. However, it is possible to specify the configuration locally. To do so, add the following two lines to the sensor's see.flags
configuration file:
--config_plugin=filesystem
--config_path=C:\\Program Files\\senseon-see\\see.conf (Windows)
--config_path=/etc/senseon-see/see.conf (Linux)
--config_path=/var/senseon-see/see.conf (macOS)
The default see.conf configuration file provided with the sensor is empty, so will disable all regular telemetry collection. Alternatively, we can provide the current configuration available from the SenseOn platform. With this setup, the agent will collect the same telemetry as is standard, while also being protected against an unexpected remote change of configuration.
Disable process enrichment
Process enrichment is where network data is linked to processes, it's enabled by default but can be disabled for troubleshooting.
--audit_allow_sockets=(true / false)
Logging
By default limited logs for troubleshooting are sent back to the SenseOn platform. The default setting of logger_plugin
is below.
---logger_plugin=tls,
Local logging
Logs can be set to be stored locally by adding filesystem
to the logger_plugin
setting and defining a path for the log files.
Log Rotation: Log files stored locally can grow very large. This should on be enabled for short periods for troubleshooting purposes.
---logger_plugin=tls,filesystem
---logger_path=/var/log/senseon-see/
Verbose logging
More verbose logs can be created using the following option.
--verbose=(true / false)