Recovering a PC after it has been infected is a PITA. Rebuilding the PC is the easy part, but getting things back to the way the user likes it can be very time consuming and probably not the first priority when responding to an incident.
The organisation I work for has a partnership with SentinelOne which is part of our Managed XDR offering and so I was fortunate enough to be able to test our some of the cool features that SentinelOne has to offer. While SentinelOne has a lot of great features, the one part I did like which I think is quite handy is its ability to roll back to a known good state.
I have been around the block a few times so being able to roll back to a known good state after an endpoint has been infected seemed too good to be true so I decided to test it out.
What I did was build a Windows 11 VM and copied across a few PDF files. Installed SentinelOne and then grabbed a copy of the phobos ransomware to execute on the machine. I chose ransomware simply because I knew it would screw up the machine.
On the SentinelOne side, the default policy is to block everything which is a good things but I am no l33t h@xor so with block mode on, there was no way I could test the rollback feature. So for the purposes of my test, I created another policy and set it to detect only. With detection mode, I can manually execute the phobos ransomware on my Windows 11 VM. With everything set up it was time to execute the ransomware on my Windows 11 VM.
On my Windows 11 VM, I downloaded and extracted the phobos ransomware. SentinelOne picked it up as expected. Even Windows got on in the act and warned me not to execute the file. But I like to live life on the edge so after executing the ransomware I was left with a unusable machine and had a message telling me to pay money to get my files back.
In the real world this would not happen. If a users is ignoring the alarms and still continues to execute the ransomware then it is likely that that user needs to spend some time in the naughty corner for 7 to 10.
So I now have a Windows 11 VM infected with the phobos ransomware and so within the SentinelOne console, I set the mitigation actions to Kill, Quarantine, Remediate and Rollback and then let SentinelOne do its magic. As expected, it did roll back to a known good state which is a good thing.
I did try this a few times just to be sure and each time it did what it said on the box. On the last occasion I recorded the process and you can see the rollback feature in action.
There is no commentary in the video but everything is pretty straight forward. SentinelOne has a lot of great features and it is pretty easy to setup and use and the rollback feature is just one of them.
SentinelOne Rollback Feature
I have seen a lot of other vendors jumping on the EDR/MDR/XDR bandwagon in recent years and at the moment it is very competitive. We have a lot choice nowdays and while every vendor will claim that their product is the best the only product you should be purchasing is the one that meets your needs.
Performing an evaluation with a prescriptive success criteria is important. While a product may have all the fancy bells and whistles, it is important to list out the features and functions your organisation needs as well as what the product is like to live with on a day to day basis including how hard or easy it is to remove the product if you end up moving to something else in the future.
Well that’s enough from me. Stay curious and stay safe.
imp0st3r