CHEATSHEET FOR SECURITY ANALYSIS
Embedded Files
S1QL Deep Visibility Cheatsteet:
https://assets.sentinelone.com/dv/sentinel-one-dv-chea-1 (Landscape)
https://assets.sentinelone.com/dv/sentinel-one-dv-chea-2 (Portrait)
Helm Repository for K8s Kubernetes
Per SentinelOne's article here: https://support.sentinelone.com/hc/en-us/articles/1500010089601-Installing-K8s-Agents-on-Kubernetes-Endpoints:
4. Add the SentinelOne helm repository.
helm repo add sentinelone https://charts.sentinelone.com
However, this is just a placeholder. Instructions here: https://charts.sentinelone.com/
helmC:\ProgramData\Sentinel\data\db C:\ProgramData\Sentinel\data\prdb
Start all services:
sentinelctl load -slam
Enable Anti Tamper:
sentinelctl protect
Workaround 2 (if able to reboot):
Disable Anti Tamper:
sentinelctl unprotect -k "passphrase"
Delete the files and folders inside the following folders but do not "siteIds": [
"Source Site ID"
inel\data\db lm, you can start using it:
# List all charts:
helm search repo sentinelone -l
# Install s1-agent from the online charts repository:
helm upgrade --install <name> \
--namespace=<namespace> \
--set configuration.cluster.name=<your cluster name to report to console> \
--set secrets.imagePullSecret=<image pull secret name> \
--set secrets.site_key.value=<your site key> <path to helm chart, or helm chart name>
Network Quarantine
To connect a disconnected endpoint (remove network quarantine):
From the Management Console, locate the endpoint and click:
> Actions > Reconnect To Network.
Or:
Open regedit.exe as Admin (to edit the registry).
Go to the following path:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\SubLayer
Delete the following key:
1F3649F2-1FB2-443E-8152-C209804E2A4F4
Reboot.
Or:
Open CMD as Administrator and run the following commands:
CD c:\Program Files\SentinelOne\Sentinel Agent <version>
sentinelctl unprotect -k "passphrase"
sentinelctl unquarantine_net
sentinelctl protect
Or:
Try this command (as Administrator):
CMD > netsh winsock reset
Endpoint Uptime
This status is now available in the Endpoint Details.
In the API, there is an "osStartTime" value.
To retrieve this value, enter the UUID of the endpoint in the "uuid" field on the API page:
/api-doc/api-details?category=agents&api=get-agents
Pending Unquarantine Agent No Longer Holds Sufficient Information To Fetch The Threat
If you try to unquarantine a threat file, it may report a pending status on the Incidents page.
If you fetch the threat file from the Console, you may see a manifest.json file after downloading it from the Activity page. However, the original threat file is not included in the zip.
If you open the .json file with Notepad, you can see the following:
[{"included":false,"path":"","reason":"Agent no longer holds sufficient information to fetch the threat","sha1":"","sha256":"","size":0}]
There is a known issue that the threat id information is lost if an endpoint has been updated to a new Agent between the time of the quarantine and the unquarantine. This can cause issues with restoring or fetching files.
Try using https://shadowexplorer.com/ to restore your file from a snapshot. SentinelOne takes backups every 4 hours by default and will use 10% of the C:\ to store data.
ConnectWise AV Status
HKLM\SYSTEM\CurrentControlSet\Services\SentinelAgent\ should have all the info for the primary Agent process. Specifically, the ImagePath key has the exact location of the agent process.
HKLM\SYSTEM\CurrentControlSet\Services\SentinelAgent\Config\ should have all the items related to configurations. The DataDir entry shows where the Agent keeps all its configurations. Since SentinelOne doesn't do traditional signature databases, this is the closest thing, since it's where SentinelOne keeps the Blacklist hashes (blacklisted Cloud Reputation feed) as the Agent looks at files that are manually blacklisted. More Specifically anything in C:\ProgramData\Sentinel\assets\ is where the Blacklist and Exclusions of all types: PathExclusion, CertExclusion, DeviceControl rules, FirewallControl Rules, and so on are kept.
For Version Check, technically there are 2 ways you can do this easily with commands:
• The first is the SentinelCtl.exe status command. It will return the full Monitor Build number along with other information. Maybe not the best command if CW can't parse it out.
• The second is the SentinelCtl.exe config version command which returns only the major version of the Agent, not the exact build.
If you can point to a reg key, then the Description key at HKLM\SYSTEM\CurrentControlSet\Services\SentinelMonitor\ will return the same
build/version info as the status command.
The only downside here is their “Program Location” is static, meaning next time you update the Agent, the version in the path will change. So I would recommend doing it with the registry key method. Or if ConnectWise can use wildcards, that would work too for the version.
More info:
NovaSOC Integration
NovaSOC Integration requires a Global or Account admin role in SentinelOne. You cannot integrate using a Site admin Site Token.
Novasoc software will integrate with API calls for Global or Account only.
Can't Specify Different Roles With Site_Roles And Roles
SentinelOne has added a fix in Console Upgrade: Liberty SP2
When changing the scope of access for a Site user, you receive the following error: Can't specify different roles with site_roles and roles.
The workaround is to change the user to a different scope and role, then back to the correct role and scope. For instance, if you want a Site role to be changed from Site viewer to Site SOC, you should change the user scope to Account viewer, save the change, then edit the user's access scope again to change the scope to Site SOC in this example.
PowerShell Protection
Powershell allows running .NET methods in memory without compiling or writing to the disk, and call native WINAPI methods.
The WINAPI calls are executed from .NET framework dll, and PowerShell.exe, which is signed by Microsoft. This signature assists attackers to avoid detection because of many Anti Virus whitelistings (but not SentinelOne). SentinelOne Agents uses several behavioral techniques to identify the malicious use of PowerShell scripts.
SentinelOne creates a PowerShell profile, that's loaded on every PowerShell.exe instance. With this profile, they are able to hook and monitor various PowerShell functions and commands before they are executed.
The PowerShell Protection script is used for phrasing various PowerShell commands, modules, and parameters. The information gathered from these scripts is used by SentinelOne's behavioral detection engines to alert and mitigate malicious PowerShell scripts.
Webroot Internet Explorer Interoperability
Webroot recommends installing the non-Webroot program first. SentinelOne Stated that Webroot enforces this order and they recommend following these steps.
Source: https://answers.webroot.com/Webroot/ukp.aspx?pid=17&vw=1&app=vw&solutionid=1455
Set exclusions in SentinelOne: Management Console > Site > Network > Exclusions > Path Exclusion > New Exclusion.
Create a path exclusion:
\Device\HarddiskVolume*\Program Files\Webroot\WRSA.exe
SentinelOne recommended setting the Exclusion mode to Performance focus or Interoperability - extended.
Set override policy in Webroot.
Create 2 override entries:
· C:\Programdata\sentinel\
· C:\Program Files\SentinelOne\Sentinel Agent <version>\
· Note: The version number is in the format: x.x.x.xxxx. For example:
· C:\Program Files\SentinelOne\Sentinel Agent 2.6.4.5961
Note: Because you are including the Agent version number, this Webroot configuration will need to be updated when you upgrade SentinelOne Agent software (to reflect the version number path). "Wildcards are not supported."https://docs.webroot.com/us/en/business/wsab_endpointprotection_adminguide/Content/UsingOverrides/CreatingWhitelistOverrides.htm
Refresh configuration for Webroot (on endpoint).
If these steps above did not resolve the issue you can try this alternative solution:
These are strictly changes made in Webroot's Console. Create a new policy in Webroot and disable Webroot Identity Protection, then add the endpoint to this policy. This does not require SentinelOne exclusions to be set in Webroot.
1. Duplicated "Managed Desktop" policy and turned off Identity Shield.
2. Assign this new policy to the specific endpoint. This takes about 3-5 minutes to update on the endpoint. (time depends on pulling policy -see image, this one is set to pull every 15 minutes).
This article discusses what happens when you turn this policy off: https://community.webroot.com/knowledge-base-76/identity-shield-policy-settings-for-webroot-business-endpoint-protection-327131
Related Articles:
https://answers.webroot.com/Webroot/ukp.aspx?pid=17&vw=1&app=vw&solutionid=1455
https://support.sentinelone.com/hc/en-us/articles/360013125634-Excluding-SentinelOne-from-Anti-Virus
Decommissioned Endpoints
SentinelOne has added a filter in the Sentinels page. But here's how I viewed decommissioned endpoints before this UI was added.
1. In the Management Console, click Sentinels.
2. Add this to the last part of the URL:
/sentinels/devices/?page=1&filter={"isDecommissioned":"true"
This may cause UI issues.
At the top right of the Console, click your name and select My User from the drop-down menu. From there, choose Clear Preferences.
Device Control - SCSI Disk Controller
I haven't see reports of this issue in a while and believe SentinelOne has added a fix in more recent packages.
Device Control caused endpoints with specific SCSI Controllers to blue screen.
To allow the endpoint to boot, disable Device Control at the associated Scope.
Older info: SentinelOne’s Development Team has released an Engineering build to help them better understand the issue this issue.
SentinelOne’s Development Team is working to try and track down the relevant hardware to attempt internal reproduction however several vendors have responded that they have newer equivalents but nothing with the exact controller.
Install SentinelOne Agent with Device Control enabled.
Run:
sentinelctl config agent.deviceControl.excludedDeviceSetupClasses "{4d36e97b-e325-11ce-bfc1-08002be10318}" -k "Passphrase"
Confirm class is listed in the output of: sentinelctl config agent.deviceControl.excludedDeviceSetupClasses
Reboot.
SentinelAgent.exe Stuck In Starting Status
Workaround 1 (if unable to reboot and Agent can be stopped):
Disable Anti Tamper:
sentinelctl unprotect -k "passphrase"
Stop all services:
sentinelctl unload -slam
Verify SentinelAgent and SentinelMonitor are stopped:
sentinelctl status
Delete the files and folders inside the following folders but do not delete db and prdb: C:\ProgramData\Sentinel\data\db C:\ProgramData\Sentinel\data\prdb
Start all services:
sentinelctl load -slam
Enable Anti Tamper:
sentinelctl protect
Workaround 2 (if able to reboot):
Disable Anti Tamper:
sentinelctl unprotect -k "passphrase"
Delete the files and folders inside the following folders but do not delete db and prdb: C:\ProgramData\Sentinel\data\db C:\ProgramData\Sentinel\data\prdb
Reboot.
Enable Anti Tamper:
sentinelctl protect
Make sure services are running:
sentinelctl status
Related:
The SentinelOne database in C:\ProgramData\Sentinel\data\prdb\ Folder stores information to track threats and their related processes and actions. It also holds the data model for the behavioral AI engines and the functionality for remediation and rollback.
The PRDB folder will no longer exist on servers or workstations that have actively purged their DB either due to the Management Action or automatically once it goes over 2 GB (servers only). The DB folder takes its place after the first purge.
We can see in this example below, the logs show the Agent going through the pruning process, then stopping the SentinelAgent.exe service.
2021-04-06T03:42:48.209 INFO Pruning decision: 1 (db size in bytes: [2206604204/2147483648], is known to be infected: 0)
2021-04-06T03:42:48.211 INFO Executing command: "C:\Program Files\SentinelOne\Sentinel Agent 4.6.12.241\SentinelCtl.exe" reload -a -u
2021-04-06T03:42:50.198 INFO AgentShutDown: Signaling AGENT_STOP_EVENT
2021-04-06T03:42:50.198 WARN Sentinel Agent was successfully told to stop
2021-04-06T03:42:50.199 INFO AgentShutDown: AGENT_STOP_EVENT signaled
2021-04-06T03:42:50.199 INFO Reporting state SERVICE_STOP_PENDING to SCM
2021-04-06T13:09:36.280 INFO AgentShutDown: WinAgent stopped
2021-04-06T13:09:36.280 INFO Reporting state SERVICE_STOPPED to SCM
2021-04-06T13:09:36.282 INFO AgentShutDown: Going down...
WIN-13504
Resolved in 4.6.13: The Windows Agent database pruning algorithm ran for several hours, caused CPU and memory spikes, and inflated the size of the pruned database.
When database is marked as corrupted. "Reboot now to fix database" message from Agent UI will be displayed on workstations. This is often caused by disk space, memory, or page file resource issues. Workstations do not auto prune, only servers do so that they can stay alive for long periods of time.
Check services after 5 to 10 min or longer in stopped or starting status. Keep alive process is in multiples of 4, which Console will reflect.
Setting exclusions helps lower resources / database activity, and therefor less pruning.
More frequent scheduled reboots can help mitigate the PRDB issue.
PRDB process checks for running service and must interact with service to stop it before PRDB can continue.
Do not attempt to update while the service is not started. Unstable service state will cause updates to fail. The difference between RMM deployment and Console deployment method, BITS downloading service from Console, but will not contribute to outcome of install. Actions > Update Agents is corrupting Agents. Update starts but service is in stopped status, updates may fail.
Expect constant improvement from SentinelOne in upcoming Agent builds.
This does not seem related to any specific agent version, rather a scenario where the server is very busy which generates a large amount of process objects in the SentinelOne DB that then needs to be moved during the pruning DB operation.The PRDB folder will no longer exist on servers or workstations that have actively purged their DB either due to the Management Action or automatically once it goes over 2 GB (servers only). The DB folder takes its place after the first purge.
The RCA from SentinelOne's Dev Team is that the Agent is having to move hundreds of thousands of process objects from the old DB during the pruning, and it's getting hung up at that stage.
Delete A Console User Profile
Error message: User does not have required permissions.
You can not delete a user that has the same Access scope as your user. To delete that user, change the user to a lower scope. Accounts partners are provisioned as Account Admins. If you would like to delete another Account user, change the scope of access for that user to a Site Viewer.
In the Edit User window, click:
> Options > Change Scope Of Access.
In the window that opens, change the user's Access and role to Site Viewer. Then delete the user profile.
macOS Uninstall
If you have issues uninstalling from the Management Console, you can try these options.
$ sudo sentinelctl unprotect --passphrase "passphrase"
===Sentinel protection has been disabled
$ sudo sentinelctl uninstall –local
With root permissions:
sudo /opt/sentinelone/bin/sentinelctl control uninstall --passphrase "string"
Or:
Restart the Mac in recovery mode.
In the terminal go to:
/Volumes/Macintosh\ HD/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentinelctl
Run:
uninstall --local
exit
This way you will not be prompted with a passphrase.
Or:
Boot in recovery mode (⌘-R).
Use Disk Utility to mount the primary hard drive.
Open Terminal.
* chroot /Volumes/Macintosh\ HD/
* bash /Library/Sentinel/sentinel-agent.bundle/Contents/Resources/uninstall.sh
Reboot.
Or:
Launch sentinelctl:
/Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/sentinelctl
Uninstall the Agent:
uninstall --local
Adobe Acrobat Interoperability
This should only be used for internal testing.
Policy Override:
{
"hooksExclusion": {
"hooksExclusionVector": [
{
"exclusions": [
"NtAllocateVirtualMemory"
],
"pattern": "c:\\Program files (x86)\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"
},
{
"exclusions": [
"NtAllocateVirtualMemory"
],
"pattern": "c:\\Program files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe"
}
]
}
}
afterSentDocuments Folder
If Agent install fails, check the SentinelInstaller logs and see if C:\Users\C$\documents\afterSentDocuments\ is referenced.
Check if 'C:\Users\C$\documents\' exists on this endpoint. Is this a real account, and does it have the same folder structure that would be expected in C:\users?
Is this folder being redirected?
Check the registry for 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\' to see that account is still listed.
Would it be possible to either recreate the folders that the install is expecting to present, either manually or by logging in again with that user?
https://www.urtech.ca/2019/10/sovled-what-are-aftersentdocuments-folder-and-files/
They’re our Malware/Ransomware decoys!
The SentinelOne Agent Installer installs a number of files on the endpoint. Most of these files are directly related to product functionality, but some are used to assist with detections. A handful of these files are called decoys. These files are planted on the system in user accessible locations in order to act as a honeypot for malware and ransomware. These files are monitored by the SentinelOne Agent for modification, deletion, and encryption that could indicate an attack.
Some of the locations of these files are:
C:\Users\Public\Documents\afterSentDocuments
C:\Users\Public\appdata\local\afterSentDocuments
C:\Users\Default\Documents\afterSentDocuments
C:\Users\(each users folder)\Documents\afterSentDocuments
The locations listed above contain additional folders and files that are hidden but accessible without special permissions. The files themselves are harmless but play an integral part in ransomware detections. Deleting these files somewhat reduces the chance some ransomware activities can be identified, so it is best to leave the files as they are.
ConnectWise Automate/Labtech Deployments (MSI)
To add a Site token to an Agent with an MSI:
In the Management Console, select your Site scope, copy the Site Token from Sentinels > Packages.
Build the Agent with this parameter: SentinelAgent.MSI /SITE_TOKEN=%Site-Token% /Q /NO RESTART
Use the file name you imported into Labtech for the “SentinelAgent.MSI” and replace “%Site-Token%” with your Site Token. The script will run a silent install and no reboot.
Data Retention Policy
Q: What is SentinelOne's data retention policy?
A: The data retention policy is changed, to hold data for you for longer, while maintaining your privacy.
Data held for 1 year: threats, Agents with threats, blocked device events, activities, tasks
Data held for 3 months: Agents without threats, notifications
Data held for 1 month: events of device connections, firewall events
Data held for 1 week (7 days): activity passphrases, users, applications
They regularly revisit and update this policy as needed.
Windows Security Center (WSC) Snoozed Status
This is due to WSC polling the SentinelAgent. If the Agent is performing certain processes, it's status will show as "snoozed" according to WSC, even though the SentinelOne Agent is running normally. For example, if the Agent is performing a DB Purge, Updating Site/Group Tokens, updating Hash local hash list, etc, it can report as snoozed as the SentinelAgent will re-load (stop then start again). The snoozed status will display an "On" status after the Agent has completed the process.
macOS Big Sur Upgrades
Install the 21.5 GA (21.5.3.5411) package that's compatible with Big Sur. This package does not use a kext file, it uses the new macOS system extensions. This will require you to authenticate SentinelOne with the new macOS system extension. This requires full disk access on Big Sur. This video will show how to install and provide authorization for the new Agent on Big Sur: https://youtu.be/4_XHVWiqjFI.
Important:
macOS Agents 4.7.11 SP1 and 21.5 EA2, and 21.5 GA (21.5.3.5411) were released and support macOS Big Sur 11.3. Upgrade the Agent to one of these versions before upgrading to macOS Big Sur 11.3, otherwise, the Agent will become unresponsive and cannot be upgraded.
If an endpoint has already been upgraded to 11.3, uninstall the SentinelOne Agent using the recovery mode method. Then install the compatible Agent: 4.7 SP1 (4.7.11.5281) - April 21, 2021 or 21.5 GA (21.5.3.5411) - May 11, 2021.
Note: You may need to run Disk Repair and turn off Disk Encryption > Reboot > Recovery Mode. Then navigate to /Library/Sentinel directory and uninstall.
Support for M1 Apple silicon support was added in 5.0 EA (5.0.1.4893) - March 19, 2021 - The installer package contains a universal binary that can run on Apple M1 silicon and Intel chipset Mac endpoints. The same installer works on all platforms with the same instructions. Follow System Requirements to get updated on macOS ARM support.
For macOS 10.15.3, please use the 4.3 Agents.
Notifications
SentinelOne has a YouTube video: How to Configure Email Notifications in the SentinelOne Management Console:
Include Site Name on Email Notifications:
This is planned on SentinelOne's road map, but no ETA has been provided.
In the meantime, you can set notifications to use specific SMTP email addresses for each Site: /settings/integrations/smtp/. This will allow you or a ticketing system to see which Site notification are for. Use a naming convention similar to: [SiteName]S1Alerts@[domain].com.
E.G.: You can configure the ticket system to receive emails from SentinelOne and generate tickets using a setup like this:
https://awp.autotask.net/managerhelp/Content/4_MANAGER/AutotaskPSAIntegration/Setup/Setup%20IEP.htm
Scope UI:
When Notifications are enabled at the Site scope but there is no recipient, notifications will not be received anywhere above that scope.
If Notifications that you would like to receive are enabled at the Account scope, and those notifications are not enabled at the Site scope, then the recipient at the Account scope will receive the notifications. So, deselect the Notifications at the Site scope where there are no recipients, and the Account scope recipients will receive Notifications.
If you have recipients set for each Site, then each Site will require their own notifications selections.
This can be done through API if you would like to script it. You will need to set one Site with the correct notifications, then run the API to find the configuration data:
/api-doc/api-details?category=settings&api=get-notification-settings
Copy the data from the API output, then set it for the rest of your Sites using this API:
/api-doc/api-details?category=settings&api=set-notification-settings
Clear Pending Notifications:
There’s an option to clear pending email notifications:
> Settings > Integrations > SMTP
Veeam Failed To Disable DC SafeBoot Mode
Running backups with Veeam, users may see this error: "Failed to disable DC SafeBoot mode."
Confirm the Sentinel config is set to false:
sentinelctl config safeBootProtection false -k "MY PASS PHRASE"
Reboot the endpoint to see results.
WARNING! Do not set this option to false without explicit instructions from Support. Disabling this feature disables many ransomware detections and will void the warranty.
Failed Agent Install (SentinelInstaller Logs for Troubleshooting)
Windows Agents generate installation logs in clear text on the endpoints. If the install failed, then gather the files below. You can view these with notepad as they are plain text.
If the install was initiated by management or GPO then check the following directory:
%windir%\temp
(%windir% is C:\Windows)
If initiated by End user:
%temp%
%temp% is C:\Users\username\AppData\Local\Temp
If you use %temp%, it will always work. To use the actual full path, you must use replace username with the username of the person logged in to the endpoint.
Tip: To troubleshoot installation issues, search the logs for "ERROR" or "FATAL".
You should be able to locate 3 files, and they can all be opened with a text editor such as notepad.
SentinelInstaller_<version>_<date>.log
SentinelInstaller_<version>_<date>.out
SentinelInstaller_<version>_<date>.dmp
macOS:
If you have any installation problems:
/var/log/install.log
Or to get the log files on the desktop:
sudo sentinelctl logreport
Management Console Password Resets and 2FA Resets
Password Reset:
You can send a verification email through the Console, and you no longer need to force a password.
> Settings > Users > Search email address > Check the box for the user profile > Actions > Send Verification Email.
Use this option to email the user a web link where they create their own password.
A verification email is sent to the email address. There is a link in the email which brings them to a Console login page. They will immediately be prompted with a window to create a new password.
Please make sure that noreply@mailsender.sentinelone.net is allowed through your mail filter so that they receive the email. There are known issues where a mail filter will modify the link that is being sent out.
2FA:
If a Management Console user's 2FA is not working, or if a user gets a different mobile device, you might need to reset 2FA for the user. To do this, disable 2FA for the user and enable it again. The verification email does not reset 2FA.
To reset 2FA for a Management Console user:
Settings > Users.
Click on the email address.
Click Options > Edit User Details.
Disable Two-Factor Authentication > Save.
Enable Two-Factor Authentication > Save.
Ask the user to log in. They will be prompted with a QR code to scan with their phone. Have them follow the on-screen instructions.
If you run into the error: "Can't disable two factor authentication while the global policy is enabled", this is an indication that they have 2FA enforced at the Site or Account level. Check the Scope to see if Two-Factor Authentication is enabled. If so, disable it temporarily to complete the reset for the user. Then turn this back on.
Pay attention to the Scope of Access (Account, Site). If a user is a Site Admin, check the 2FA settings at the Site scope, as well as the Account scope. 2FA can be enforced in both Account and Site scopes and will need to be disabled at both scopes before you can reset 2FA for a Site Admin. If you are an Account Admin, you only need to disable 2FA at the Account scope.
Disregard Roles while troubleshooting 2FA (Admin, C-Level, IR Team, IT, SOC, Viewer). They have no connection to 2FA.
If the login fails, there are different solutions for different 2FA apps:
https://guide.duo.com/common-issues
https://support.google.com/accounts/answer/185834?hl=en&ref_topic=2954345
Legacy Agent Install Troubleshooting
Supported OS:
Windows XP SP3 or later (KB968730) 32/64-bit NTFS/FAT32
Windows Server 2003 SP2 or later, or R2 SP2 or later, (KB968730) 32/64-bit
Windows 2008 (Pre-R2)
Windows Embedded POSReady 2009
Minimum Hardware Requirements:
Intel Pentium 3 or later processor (or AMD Opteron/Athlon 64 or later) with SSE2 instruction set support
256 MB RAM (512 MB for Server 2003 machines)
500 MB Hard Disk
Legacy agents have the Site Token and Management Server URL coded into the package. So, when you run the setup package provided by SentinelOne, it is specific to the Site you requested it for. The Agent will install without prompting for a Token.
Here is a list of basic communication tests:
Install the Microsoft KBs.
Update the Legacy Agent certificate.
Files can be downloaded here: https://sentinelone.sharefile.com/share/view/sb7f8e7da95f440ba/foeb8b08-2bde-4653-b8d8-3bfffc321857
Download FireFox (test not compatible with Internet Explorer) and open the SentinelOne Management Console home page to confirm there are no prompts for Certs.
Multi-site cloud-based environments use a proxy server for the communication with the Legacy Agent version 2.0. Make sure this address is open in the firewall.
Use the following command to locate the server.mgmtServer and confirm you have an allow rule in your firewall.
sentinelctl config
When submitting a Legacy package request to SentinelOne, add the Site Token in the field to automatically generate a package.
Security Reports (Compliancy Audits)
Privacy
SentinelOne maintains a comprehensive privacy policy at https://www.sentinelone.com/privacy-policy. This policy includes descriptions of our handling of personal information submitted by public website site visitors as well as by users of our product solutions. For residents of California (US) concerned with CCPA, please see https://www.sentinelone.com/legal/ccpa-privacy-notice/. More information is available upon request.
ISO 27001
SentinelOne's Information Security Management System is ISO/IEC 27001:2013 compliant as of September 2018. This means that we have developed, implemented, and follow security best practices and that the security program has been audited and approved by a third party. Please access our ISO certificate here: https://www.schellman.com/certificate-directory?certificateNumber=1442061-3
General Data Protection Regulation (GDPR)
SentinelOne is General Data Protection Regulation compliant. SentinelOne employees are trained and aware of their obligations for European third party data protection. GDPR compliance was achieved in May 2018.
PCI-DSS
SentinelOne retained Tevora, a security and risk management consulting firm, and a reputable PCI Qualified Security Assessor (QSA), to conduct an independent, in-depth evaluation of SentinelOne’s anti-malware Endpoint Protection, Detection, and Response Platform (SentinelOne Platform) and software against PCI DSS version 3.2.1 Requirement 5. Tevora attests that SentinelOne’s Platform meets the intent of controls set out in PCI DSS 3.2.1 Requirement 5. The Platform provides the ability to protect, detect, contain, and remove all known and previously unknown types of malware. Additionally, the Platform regularly updates and patches itself to ensure it is frequently maintained for optimal performance. With verbose log capabilities, configurable system scans, Anti Tamper mechanisms, and hundreds of integrations with SIEM and other information security solutions, the SentinelOne Platform checks all PCI boxes. Tevora's statement is available here: https://assets.sentinelone.com/gdpr/tevora-sentinelone-p-1
Fedramp
SentinelOne is pursuing Fedramp Moderate Authorization to operate in GovCloud. SentinelOne has attained "in process" designation and we expect full "Moderate Level" compliance in early 2020. https://marketplace.fedramp.gov/#/product/sentinelone-endpoint-protection-platform-and-activeedr?sort=productName&productNameSearch=sentinel
HIPAA
SentinelOne retained Tevora, a security and risk management consulting firm, and a reputable HITRUST Assessor, to conduct an independent, in-depth evaluation of SentinelOne’s anti-malware Endpoint Protection, Detection, and Response Platform (SentinelOne Platform) and software against HIPAA Security Rule requirements. Tevora attests that SentinelOne’s Platform meets the intents of prevention, detection, remediation, and reporting requirements covered by the HIPAA Security Rule and HITECH when properly configured. Further, it aligns with HIPAA’s Security Rule Requirements §164.308(a)(1), §164.308(a)(5)(ii)(B) and 164.308(a)(6)(ii) for security violations and incidents, and more specifically malware protection. evora's statement is available here: https://assets.sentinelone.com/gdpr/tevora-sentinelone-p-1
SOC 2
All Customer Data is processed and stored on servers located in highly-secure, SOC 2 compliant Amazon Web Services (AWS) data centers. By using AWS SentinelOne can rely on the abilities of AWS to provide SOC 2 compliant functionality for the SentinelOne customer. While we recognize that SOC 2 is an industry standard, it is not the only industry standard. SOC 2 is enjoying a surge in popularity as a standard currently, it is true. However, SentinelOne has obtained an ISO 27001 certification, which is a well respected security qualification from the International Standards Organization. The ISO process has included multiple audits (by an independent CPA firm) at each of the SentinelOne sites, and the certification specifically covers SentinelOne's product offerings, including the operation production environment, and the software development process.
Sarbanes Oxley (SOX)
We can help a customer become or maintain SOX compliance for their own business, and we have a number of customers that successfully use SentinelOne products and services to meet their SOX requirements for AV and anti-Malware. However, SentinelOne, as a company, does not sell goods or perform services that would require SentinelOne itself to comply with SOX as a company.
Reports not sending (MGMT-16208)
SentinelOne has added a fix in Console Upgrade: Machu Picchu SP4, applied in Jan 2021.
You may see the error: "Failed to send email." If you click to download a Report as PDF, may see the error:
code 5000010
detail "Server could not process the request."
title "Internal server error."
You can use this tool to download the data you need:
Microsoft Power BI lets you connect to and visualize data with a unified, scalable platform for enterprise business intelligence (BI).
Please try out SentinelOne's community project - https://github.com/guysentinel/s1_manager - A tool that uses SentinelOne API capabilities in order to obtain data to generate reports.
Aladdin HASP License Manager Service, SafeNet, Aladdin, USB License Key Exclusions
SentinelOne has been known to interfere with these directories that are used to verify licensing for applications.
\Device\HarddiskVolume*\Windows\System32\hasplms.exe
\Device\HarddiskVolume*\*\License\Install\Authenticate.exe
\Device\HarddiskVolume*\*\License\SentinelRuntime\haspdinst.exe
\Device\HarddiskVolume*\*\License\SentinelRuntime\HASPUserSetup.exe
\Device\HarddiskVolume*\ProgramData\SafeNet Sentinel\
\Device\HarddiskVolume*\Program Files (x86)\Common Files\SafeNet Sentinel\
\Device\HarddiskVolume*\Program Files (x86)\Common Files\Aladdin Shared\HASP\
https://www.file.net/process/hasplms.exe.html - HASPLMS (Aladdin HASP License Manager Service)
https://www3.thalesgroup.com/products/sentinel/software_protection.asp - Software Protection & Licensing
SentinelInstaller Large Size
Allow the .etl file to be deleted.
End user is seeing .etl files grow if/when the install did not close out logging.
CMD > Perfmon
Search for a running SentinelInstaller session under:
> Data Collector Sets > Event Trace Sessions.
If it is listed as running: Stop that process. Then the ETL file can be deleted.
macOS Agent Remote Shell Capability Requires Full-Disk-Access Permission To Operate
In the Console, you will see in the endpoint details:
1 Pending Actions Details
Missing Permissions Permissions Required: Agent Remote Shell capability requires Full-Disk-Access permission to operate.
Confirm the Security & Privacy settings shows that the authorizations are done like this:
If you Command+Shift+G and navigate to: /Library/Sentinel/sentinel-agent.bundle/Contents/MacOS/, but see no contents, try manually navigating using the Finder. Then drag and drop the 3 apps into the Security & Privacy window:
sentinel_shell
sentineld
sentineld_helper
Activity Analyzer for Interoperability Applications (Help Setting Exclusions)
Please note, you must be running Agents: Windows 4.5.1+ to generate and view these reports.
The steps outlined in this article will help you identify specific directories that you will set exclusions for when you're experiencing interoperability issues with known-safe applications.
> Actions > Fetch Logs.
Then download them from the Console's Activity page: /activity/.
Once downloaded, view the archived data using 7-ZIP.
Open "LatestActivityAnalyzerReport.txt" using notepad.
This text file contains a list of processes that the Agent spends the most time monitoring. If you see a directory related to your interoperability application (and you've confirmed this is a safe application), create a path exclusion in the Management Console. Reboot the affected endpoints then test if the exclusion resolves the issue.
For example, in the screen capture example below, we may recommend exclusions for the following CentraStage directories if you are experiencing interoperability issues or slowness of your Datto RMM application.
8) \Device\HarddiskVolume3\Program Files (x86)\CentraStage\UltraVNC\winvnc.exe: [1s 168ms 2.7684%]
10) \Device\HarddiskVolume3\Program Files (x86)\CentraStage\CagService.exe: [902ms 2.13993%]
Wildcard the exclusions to apply a broader scope to ensure interoperability is resolved on all endpoints:
\Device\HarddiskVolume*\Program Files*\CentraStage\UltraVNC\winvnc.exe
\Device\HarddiskVolume*\Program Files*\CentraStage\CagService.exe
Please review the Best Practices for Exclusions, as well as the Not Recommended Exclusions.
0x80070005 VSS - Access Is Denied
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
This is often caused by incorrect security settings in either the writer or requestor process.
Configure a Policy Override:
{
"vssConfig": {
"enableResearchDataCollectorVssWriter": false
}
}
Restart the endpoints and confirm if you're no longer seeing VSS issues.
Excel, BlueBeam Interoperability, Macros, Embedded Plug-In, "CMD.exe" /C dotnet --list-runtimes
The exclusion is for the command line arguments that the plugin uses.
Excluding the following Hash exclusion will resolve interoperability issues.
51c7f261497cc67d1ef1cb9f2164a34f23424731
This is the Hash of the command line arguments. If the plugin uses the same arguments, it will generate the same Hash. (NOTE: in every BlueBeam case I have had, the Hash is always the same).
The action which is mainly responsible for incident triggering is the execution of the below CMD line:
"CMD.exe" /C dotnet --list-runtimes
Based on the results, in cases that the CMD command line arguments is confirmed as legitimate:
Create new 'Hash' exclusion and exclude the above CMD line by Hash.
Or set a Policy Override:
{
"exclusionConfig": {
"macroPatternsList": [
"*CMD.exe*C dotnet --list-runtimes*"
]
}
}
Quest Rapid Recovery
The transfer failed: 'Call to service method https://hexa-mail:8006/apprecovery/api/agent/transfer/snapshots POST failed: The transfer failed: 'Key being added: 'Alphaleonis.Win32.Vss.VssWMComponent'"
Create a Policy Override:
{
"vssConfig": {
"agentVssWriters": false,
"enableResearchDataCollectorVssWriter": false
}
}
Please note, you need to reboot the endpoint! for this change to go into affect!
Export Exclusions To CSV
Download the s1_manager.exe tool here: https://github.com/guysentinel/s1_manager/blob/master/README.md
Run this with your SentinelOne user profile, so that the API Token matches the data scope you want (Account/Site/Group structure).
File will be created in the directory that you run the s1_manager.exe from.
Package Versions
To get an Agent download: https://sentinelone.sharefile.com/d-sb7f8e7da95f440ba
Best Practice: Download the Agent from your Console > Sentinels > Packages.
Definitions are as follows:
EA (Early Availability): EA releases give partners a chance to try out new releases before they are publicly available. This lets SentinelOne see how the new release does in the real world and resolve any issues that arise before the GA is released.
GA (General Availability): The release is ready for the public.
SP (Service Pack): A release on top of a GA version that fixes issues identified in an EA or GA release.
LogMeIn Detections
From what we see in the Threat URLs, Hash or Path exclusions are the only Console options for excluding these threats.
The Agent is doing exactly what it's supposed to do. This exe is an unsigned, unverified, remote access tool. Check with LogMeIn and see if they can provide a link for a signed / verified exe download link.
Do not set exclusions. In this case, find a safer file to download.
Edge Browser Issues
This is an OS Bug verified by Microsoft. Microsoft has deployed a fix in May 2021.
Disabling this hook will affect protection. Encrypted traffic thru the browser will no be visible to SentinelOne. If you use the Complete license, then Deep Visibility data will be limited as well.
Run CMD as admin:
> Start > enter "CMD" > Right-click Command Prompt > Run as Administrator.
Run:
CD "Program Files\SentinelOne\Sentinel Agent <version>"
sentinelctl config -p agent.hooksExclusion -v "{\"hooksExclusionVector\": [{\"exclusions\": [\"NtSetInformationProcess\"],\"pattern\": \"C:\\Program Files*\\Microsoft\\Edge\\Application\\msedge.exe\"}]}" - k "Passphrase"
Or as a Policy Override:
{
"exclusions": [
"NtSetInformationProcess"
],
"pattern": "Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe"
}
SentinelAgent.exe Services Stuck In Starting
Collect the Agent's passphrase from the Management Console.
Next, on the impacted endpoint, open an elevated command prompt (cmd.exe > Run as Administrator).
Within the command prompt window, use the cd command to change the working directory to the following path, where <version> is the version of the SentinelOne Agent installed:
CD C:\Program Files\SentinelOne\Sentinel Agent <version>
Within the above directory, run the following commands where <passphrase> is the Agent's passphrase collected above:
sentinelctl unload -a -k "<passphrase>"
sentinelctl apply_config -p -k "<passphrase>"
After performing the above steps, reboot the endpoint.
Upon booting back into the OS, please verify if the Agent's service now shows as started.
Related: apply_config is going to reset the Agent settings for the registry to get back to a default state. If the Agent went offline because the DB crashed the Agent, then prune the db.
Recommendations For Installing SentinelOne On A Server
Follow these steps to create exclusions on SentinelOne's Console before installing the SentinelOne Agent on Servers.
Navigate to:
> Site scope > Click + to add a New Group.
(Or navigate to:/groups/add and create a Group for your selected scope).
Enter the Group Name: Servers
After entering the Group Name, select Static Group.
In the Group Policy, make sure you select Change Policy.
After selecting Change Policy,
> Detect Alert Only, for both Malicious Threat and Suspicious Threat.
You will edit this later once exclusions are made for business-critical applications.
> Create Group, then select Add group's exclusions.
> New Exclusion > Add from Exclusions Catalog.
Select the applications that apply to your Server.
Select Exclude from Current Scope.
Important: Ask your application vendors for a list of recommended anti virus exclusions, and add any exclusions for all business-critical applications.
You can now install SentinelOne on your Servers and use the Group Token during installation, which can be found at
> Sentinels > Group Info or by navigating here: /sentinels/group-info/.
Monitor SentinelOne's Incidents Threats page here: /incidents/threats, and add any additional exclusions that you see SentinelOne detecting as a false positive for business-critical applications.
Once your exclusions are configured, modify your Policy to Protect for both Malicious Threat and Suspicious Threat here: /sentinels/policy/default/.
Adobe Interoperability 4.6.11.20182
4.6.11.20182 is an Engineering Build provided by SentinelOne's Engineering Team. They stated this will fix the Adobe issues.
Please note that the official fix will be on these Agent versions:
5.1.0.10997 (master) - 5ecbc153bc5504dfd0f59c0120edd7cdd740e89a
5.0.1.119 - 5ffee3543c3db067833af933ba2730225ffb4dda
4.7.2.230 - 231a8287c2a596b227071695155d1a50d4cf1e1b
4.6.13.268 - a12108cb47d8256f11bf42b0c57e71c862f06bc1
4.5.13.269 - 1c6fa6c2c25e70fcb7fcd23c90a64966523182cf
Detect Only Mode Explained (Why Some Detections Aren't Reported)
When SentinelOne detects a threat it is reported to the Console.
However, SentinelOne injects into and monitors all applications on the endpoint.
While most applications accept this and continue running, some applications terminate because of this monitoring.
Because the third party application terminated SentinelOne does not report anything.
You can review the logs to find what files SentinelOne is monitoring and recommend possible exclusions to allow interoperability. There is a tool called the Agent Activity Analyzer that allows you to look at what SentinelOne is monitoring.
Create New Site
From the Account scope, Click the + icon next to your Account name (Use the Scope view on the left side-bar menu). Or navigate to sentinelone.net/site.
Type in the name of your new customer then click next.
If you are on a trial choose 'Trial' and set the expiration date to match when your trial ends. You can check your expiration date here: /settings/accounts. If you are not on a Trial, choose 'Paid' and follow the next steps.
Select the License Type. Please note, Core licenses were removed Aug 2020. They were replaced with Control. Please note, this can be edited after creating the Site; Edit created Sites here: /settings/sites-table.
Choose to inherit your policy from the global default (your Account scope) or break the inheritance of the global default policy by clicking "Change Policy" at the top of the window. Then set your preferred policy. Please refer to the Policy Mode Best Practices.
If you receive the error "Cannot create a Paid site where account is Trial", go back to "Add New Site" and change the Site Type to 'Trial'.
If you receive the error "Cannot set unlimited expiration for account with expiration", go back to "Add New Site" and change the Expiration Date to match the expiration date here:/settings/accounts.
If you receive the error "Scope global has no licenses of type "Core"", go back to "Add New Site" and change the License Type to Control or Complete.
If you receive the error "Licenses in site cannot exceed the number of licenses in account", go back to "Add New Site" and change the License Quantity to a lower number than your allotted Account licenses here: /settings/accounts.
Move Agents Between Accounts/Sites
Endpoint ID data is cached on the Console which prevents endpoints from being migrated between Accounts using the Actions > Migrate Agent command. Instead use the API to change the endpoint identity data. This Action must be performed by a Global Administrator.
A new Site must be created before the endpoints can be moved. Exclusions should already be setup before endpoints are moved (if needed).
From the Management Console, navigate to:
> APIDoc > API Reference > Agent Actions > Move between sites
Add in the correct IDs below. Paste this into the body. Then run on Console.
{
"data": {
"targetSiteId": "Destination Site ID"
},
"filter": {
"siteIds": [
"Source Site ID"
]
}
}
Remote Shell / PowerShell
Run sentinelctl with this format:
.\sentinelctl
Canary Updates
Canary updates is a technique to reduce the risk of introducing a new applications into production by slowly rolling out the change to a small subset of users before rolling it out to the entire environment and making it available to everybody. You can achieve this by manually grouping test endpoints in a Static Group, and then choosing one group or two to run a newer version of the Agent for a week or two and then evaluate.
SentinelOne's Maintenance Window is designed to deploy updates during a specific time frame, but you are still required to initiate the update process each time.
SentinelOne is still developing a fully automated Agent update process. Your Agents will not auto update after installation or deployment of an Agent.
> Actions > Update Agent
Run the command from the Console, or deploy updated Agents via an RMM or MDM which will require a Policy Override for local updates. 4.5 requires local updates to be enabled manually.
Addigy MDM Full Disk Access
Network Properties @%systemroot%
SentinelOne has added a fix in package versions: 4.2.2+
You install the SentinelOne Windows Agent 4.1. Then you see that the Network properties start with the string @%systemroot%.
This issue affects Agents: Windows 4.1.1 - 4.1.4, 4.2.1.
Threat Automatically Marked As Resolved
From Kauai SP2, these threats are automatically marked as Resolved and will show Automatically resolved by the SentinelOne Console:
Threats older than one month on decommissioned Agents.
Threats on Sites that have been expired for more than three weeks.
os_type Is Incorrect
The field os_type is deduced from the field os_name that is sent during registration.
The content of the field os_name is found in two ways:
First, registry path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion. Look for the value "ProductName."
Second, if that doesn't work, the SentinelOne Agent prints an error to the log and will try to find a match between the kernel version of the os to a pre-made list of kernel versions and os names.
To fix:
Modify the registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion, specifically its value "ProductName".
Please add the word "windows" to the key (for example, the current value is "Hyper-V Server 2016", change it to "Hyper-V windows Server 2012 R2") and restart.
SentinelOne is checking this parameter every time the Agent is checking connectivity to the Management Console (every 30 seconds).
Eicar and RanSim
SentinelOne will not trigger Network Quarantine for the Eicar test file: https://www.eicar.org/?page_id=3950
"Network quarantine is only triggered for behavioral malicious detection."
Test Network Quarantine using RanSim: https://support.knowbe4.com/hc/en-us/articles/229040167-RanSim
"RanSim is a tool that simulates the behavior of ransomware..."
SentinelInstaller SentinelCtl Install_autologger_sessions Returned: -1
This non-SentinelOne related registry change resolved the error (environment related).
Win32 Error: Not enough storage is available to process this command.
> Start > Run > regedit.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
> Edit > New > DWORD Value.
Type IRPStackSize, and then press ENTER to name the value. Note Type IRPStackSize exactly as it is displayed. The value name is case sensitive.
> Edit > Modify.
In the Data Value box, type the value that is appropriate for the network, and then click OK.
Find SHA1 Hash
https://community.spiceworks.com/how_to/127204-how-to-find-the-sha-hash-of-a-given-file
> Start > Search for PowerShell and launch it.
Get-Filehash -path c:\*.exe -algorithm SHA1 | fl
OfflineLogCollector, LogCollector.exe
1. Open an elevated CMD prompt.
2. Run:
CD C:\Program Files\SentinelOne\Sentinel Agent <version>\Tools
mkdir c:\temp
LogCollector.exe WorkingDirectory=c:\temp
With CMD, you enter the output directory in the command. You can use a name other than "temp".
When you press Enter on the last command, the LogCollector starts immediately and shows the status of the tool processes.
If the tool shows a message that it cannot find the output directory, make sure you entered an existing path as the WorkingDirectory.
Fetching Logs Time Limit
Code: 4000040
detail: "The requested files do not exist. Fetched logs are deleted after 14 days, or earlier if more than 30 logs are fetched."
title: "Bad Request"
Repeated Failed Login Attempts. Temporarily Locked.
If a user attempts to log in to the Management Console unsuccessfully 3 times, the user is locked out of the Console for 30 minutes.
To unlock the user you can:
Wait 30 minutes.
Or have the user reset their password; Send a Verification Email from the Console:
> Settings > Users > Actions > Send Verification Email.
vssProtection , vssSnapshots Policy Override
To disable vssProtection and vssSnapshots, use the Policy Override below. This will take 3-5 minutes for the endpoint to automatically apply the changes once the endpoint is moved to the scope where the Policy Override is applied.
{
"vssConfig": {
"vssProtection": false
},
"vssSnapshots": false
}
SentinelInstaller.log Agent Traces
A quick demo showing how to review a .log file for SentinelOne installations. In this case, the install failed because there's a previous Agent installed. Resolve by using the uninstall tool, then performing a clean install.
Console Reports (PDFs Available)
APPLICATION INSIGHTS:
Applications Installed And Executed On Every Device.
EXECUTIVE INSIGHTS:
Threat Metrics: Not Mitigated, Mitigated, Marked as Benign.
Most At-Risk User, Device, Group.
Agents Installed, Removed, Decommissioned, Scanned.
EXECUTIVE INSIGHTS BY GROUP:
Executive Insights Report For Specific Group.
MITIGATION AND RESPONSE INSIGHTS:
Automatically, Manually Mitigated Threats.
Active Threats.
Mitigation Success, Mitigation Failed.
THREATS INSIGHT:
Threats Status, Incidents Status, Confidence Level, Analyst Verdict, Initiated By, Detecting Engines, Classification.
Top Devices, Group, Sites At Risk.
Top Indicators.
VIGILANCE INSIGHTS:
Vigilance Threat Handling Trends.
Threat Actions Trends.
Vigilance SLA Trends.
Threat Activities, Administrative Activities By Vigilance.
Azure SSO Integration
In Azure AD Admin Center, create a Non-gallery application and name it “SentinelOne SSO”
> Dashboard > Enterprise applications - All applications > Categories > Add an application
> Dashboard > Enterprise applications - All applications > SentinelOne - Single sign-on > SAML-based Sign-on
Basic SAML Configuration
Copy the following from SentinelOne into Azure:
Identifier (Entity ID) = SP Entity ID
Reply URL (Assertion Consumer Service URL) = Assertion Consumer Service URL
SAML Signing Certificate
Download the Certificate (Base64)
You must use Base64!
Upload it to SentinelOne
Set up SentinelOne
Copy from Azure into SentinelOne
Login URL = IDP redirect URL
Azure AD Identifier = IssuerID
SentinelOne - Users and groups
Add users to your SentinelOne group in Azure.
This will populate the app in myapps.microsoft.com.
Common Error:
Did not use Base64 certificate.
LionGard Inspector
This document provides the steps required to configure the SentinelOne Inspector: https://docs.liongard.com/docs/sentinelone-inspector
All User Accounts Are Expired
If you log into the S1 Console and receives the error "All user accounts are expired" then the Account is expired and needs to be reactivated.
You can confirm this by navigating to /settings/accounts and using the drop-down menu at the top right to 'Show Expired'
There is no UI to reactivate an Account. It must be performed though the API.
SentinelInstaller Win32 error code: 3
ERROR System requirements not met: "Installation stopped; Failed to check system requirements, Win32 error code: 3"
This error indicates that the endpoint does not meet the system requirements, likely needs to run Windows OS updates.
Authentication Failed While Downloading Package
When downloading the Agent, you get the error:
{"errors":[{"code":4010010,"detail":null,"title":"Authentication Failed"}]}
Solution: Authentication to the Console URL is required. Confirm you logged into the correct URL and that it wasn't redirected. If using API, use the login Token first.
The authorization token that is provided when logging into a console provides the URL of the login action. When accessing the package repository on the Console it checks the authorization token against the URL of the file being downloaded to confirm that they match. If you have an alias, the package repository is unaware that the URL alias is valid and registers a block due to not being authorized.
Configurable Network Quarantine, Firewall Control, Location Awareness Status Incorrect
SentinelOne has added a fix in Console Upgrade: Liberty.
MGMT-14150
MGMT-14374
MGMT-14888
Resolved: In the Endpoints page and filters, these filters were disabled and did not show correct results: Configurable Network Quarantine Enabled, Firewall Control Enabled, Location Awareness Enabled.
In the Endpoint Details, the Firewall status and Configurable network quarantine status showed as Disabled, even if they were enabled.
Liberty SP5
Machu Picchu SP2
macOS Allow Kext
On 10.13 High Sierra -10.15 Catalina, end users must approve the kernel extension.
See System Requirements for compatible Agent and OS details.
Why does nothing happen when clicking the ‘Allow’ button on macOS?
Apple requires users to explicitly allow the installation of a third party system extensions.
> System Preferences > Security & Privacy > General > Click ‘Allow.'
If clicking the ‘Allow’ button does nothing:
> System Preferences > Keyboard > Shortcuts > Click ‘All Controls’
Close or Quit the System Preferences then reopen it.
> System Preferences > Privacy & Security > General
Ensure the lock on the bottom left of the Security & Privacy settings window is unlocked.
Press ‘Tab’ until ‘Allow’ is selected then press the ‘Spacebar’
macOS Endpoint Security Error!
MAC-1723
In some cases, the Agent UI displays "Endpoint Security Error" after the first update to the Kextless Agent. This is caused when there is a failure in loading the macOS Endpoint Security Endpoint framework. To resolve, reboot the Endpoint.
Beta 4.4.0.3349
Reactivate Sites, Sites Expired
If you see an Account with Sites missing under it, the Sites are expired.
Navigate to /settings/sites-table.
Change the drop-down menu to “Show Expired”
Check the box for the Site you want to reactivate.
> Actions > Reactivate
Set unlimited expiration.
SentinelOne - The Entered Verification Key Is Incorrect
Confirm you entered the correct Passphrase from the Console.
> Actions > Show Passphrase
If so, then the Endpoint is out of sync with the Management Console.
In the Console, locate the endpoint.
> Actions > Randomize UUID
Wait a few minutes for it to generate, then check your endpoint lists for a new instance of the same endpoint name. Try the command using the new passphrase.
> Actions > Decommission
to remove the offline duplicate endpoint from your Console.
Network Quarantine Not Active After Using Test Malware File
SentinelOne has added a fix in package versions: 4.5 SP1.
Network Quarantine does not always function properly with version 4.5.2.136.
You can apply a Policy Override to allow the quarantine feature to work correctly:
{
"firewallControl": {
"allowOverridingUserDefinedPermitFilters": false
}
}
Navigation Toolbar Tray Blank Icon
SentinelOne has added a fix in package versions: 4.4.4.223 +, 4.7.0.10432 +
SentinelOne's Dev Team was made aware of this issue. There was a bug in the tray icon handling library they are using - the bug is that tray icons which are "hidden" in that library are being displayed after the taskbar is re-created. That library needs to check whether the icon is hidden before creating it on special circumstances where the taskbar is re-created.
There shouldn't be any other side effects to this issue. Update your Agents to resolve this issue.
Register with Windows Security Center (Windows Defender)
SentinelOne will set itself as the default AV application in WSC and disable Windows Defender during install. If it didn't, then you can manually set the Agent to register.
CD C:\Program Files\SentinelOne\Sentinel Agent <version>
sentinelctl config wscRegistration true -k "MY PASS PHRASE"
true = disable Windows Defender
false = do not disable Windows Defender
On Windows Server 2019 and 2016, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus application. If Microsoft Defender is enabled on the server, it will run in parallel with SentinelOne. We recommend that you disable Microsoft Defender Antivirus on Servers that run SentinelOne. Using both programs in parallel is likely to cause compatibility issues.
You can use this article from Microsoft to disable Windows Defender: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016
Installing SentinelOne may give an error stating a reboot is required. Upon rebooting, this error message persists. The error message says to contact support. This may be related to Windows Defender – run a checkdisk and then disable Windows Defender’s Controlled Folder Access option in the Ransomware settings.
Manual Uninstall (Windows)
The current manual process to remove the installed elements of SentinelOne on an endpoint is to boot into Safe Mode and then with an Admin account remove the following registry entries (if some of these entries do not exist that is fine just make sure to remove the items that appear by searching the entire registry for the term 'sentinel' but do not remove any item listed as sentinel3.5 as that is part of Microsoft)
This was the current registry list from a 2.6 agent and will be accurate for the older versions of 2.5.4. and 2.5.6. There are some registry keys that you might have to take ownership over to remove them and with some keys that is a nested item from a major key that needs to be removed before the main key , here is a KB that should assist with those items.
Delete entire key:
Computer\HKEY_CLASSES_ROOT\AppID\{1ECB7470-7BA4-4F64-A41D-BDF1B38DEED8}
Computer\HKEY_CLASSES_ROOT\AppID\{4F58E51B-3F2B-4807-AB8C-2A7F143E9C3F}
Computer\HKEY_CLASSES_ROOT\AppID\SentinelHelperService
Computer\HKEY_CLASSES_ROOT\CLSID\{28B58EFD-EED3-49D0-9AC3-A7A9E39A6303}
Computer\HKEY_CLASSES_ROOT\CLSID\{DFE127B0-F72C-40FB-BEF8-9F29CB996B9C}
Computer\HKEY_CLASSES_ROOT\Interface\{0420773B-38C3-4300-AD2B-23652FEEE26C}
Computer\HKEY_CLASSES_ROOT\Interface\{51821FE8-516B-4BE3-9578-31B2DFAD4042}
Computer\HKEY_CLASSES_ROOT\Interface\{8E470FB5-6800-4FF6-8E0A-620F676C912E}
Computer\HKEY_CLASSES_ROOT\SentinelAgent
Computer\HKEY_CLASSES_ROOT\SentinelHelper
Computer\HKEY_CLASSES_ROOT\SentinelOneLog
Computer\HKEY_CLASSES_ROOT\TypeLib\{667D5A92-7C14-4687-B20E-A5CF06FEF1AF}
Computer\HKEY_CLASSES_ROOT\TypeLib\{BED0DAEE-A8DC-40E6-AAD6-DCA5532B746C}
Computer\HKEY_CLASSES_ROOT\WOW6432Node\AppID\{1ECB7470-7BA4-4F64-A41D-BDF1B38DEED8}
Computer\HKEY_CLASSES_ROOT\WOW6432Node\AppID\{4F58E51B-3F2B-4807-AB8C-2A7F143E9C3F}
Computer\HKEY_CLASSES_ROOT\WOW6432Node\AppID\SentinelHelperService
Computer\HKEY_CLASSES_ROOT\WOW6432Node\Interface\{0420773B-38C3-4300-AD2B-23652FEEE26C}
Computer\HKEY_CLASSES_ROOT\WOW6432Node\Interface\{51821FE8-516B-4BE3-9578-31B2DFAD4042}
Computer\HKEY_CLASSES_ROOT\WOW6432Node\Interface\{8E470FB5-6800-4FF6-8E0A-620F676C912E}
Computer\HKEY_CLASSES_ROOT\WOW6432Node\TypeLib\{667D5A92-7C14-4687-B20E-A5CF06FEF1AF}
Computer\HKEY_CLASSES_ROOT\WOW6432Node\TypeLib\{BED0DAEE-A8DC-40E6-AAD6-DCA5532B746C}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1ECB7470-7BA4-4F64-A41D-BDF1B38DEED8}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4F58E51B-3F2B-4807-AB8C-2A7F143E9C3F}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\SentinelHelperService
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{28B58EFD-EED3-49D0-9AC3-A7A9E39A6303}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFE127B0-F72C-40FB-BEF8-9F29CB996B9C}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0420773B-38C3-4300-AD2B-23652FEEE26C}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{51821FE8-516B-4BE3-9578-31B2DFAD4042}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8E470FB5-6800-4FF6-8E0A-620F676C912E}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SentinelAgent
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SentinelHelper
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SentinelOneLog
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{667D5A92-7C14-4687-B20E-A5CF06FEF1AF}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BED0DAEE-A8DC-40E6-AAD6-DCA5532B746C}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\AppID\{1ECB7470-7BA4-4F64-A41D-BDF1B38DEED8}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\AppID\{4F58E51B-3F2B-4807-AB8C-2A7F143E9C3F}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\AppID\SentinelHelperService
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0420773B-38C3-4300-AD2B-23652FEEE26C}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51821FE8-516B-4BE3-9578-31B2DFAD4042}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E470FB5-6800-4FF6-8E0A-620F676C912E}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{667D5A92-7C14-4687-B20E-A5CF06FEF1AF}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\TypeLib\{BED0DAEE-A8DC-40E6-AAD6-DCA5532B746C}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sentinel Agent
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SentinelAgent.exe
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SentinelCtl.exe
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SentinelHelperService.exe
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SentinelRemediation.exe
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SentinelServiceHost.exe
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SentinelStaticEngine.exe
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SentinelStaticEngineScanner.exe
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\SentinelOneLog
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\AppID\{1ECB7470-7BA4-4F64-A41D-BDF1B38DEED8}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\AppID\{4F58E51B-3F2B-4807-AB8C-2A7F143E9C3F}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\AppID\SentinelHelperService
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\Interface\{0420773B-38C3-4300-AD2B-23652FEEE26C}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\Interface\{51821FE8-516B-4BE3-9578-31B2DFAD4042}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\Interface\{8E470FB5-6800-4FF6-8E0A-620F676C912E}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{667D5A92-7C14-4687-B20E-A5CF06FEF1AF}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\TypeLib\{BED0DAEE-A8DC-40E6-AAD6-DCA5532B746C}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SentinelAgent.exe
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SentinelCtl.exe
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SentinelHelperService.exe
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SentinelRemediation.exe
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SentinelServiceHost.exe
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SentinelStaticEngine.exe
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SentinelStaticEngineScanner.exe
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\Autologger\SentinelLogger
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\Autologger\SentinelLogSession0
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\Autologger\SentinelStatic
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LogProcessorService
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SentinelAgent
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SentinelHelperService
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SentinelMonitor
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SentinelStaticEngine
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SentinelLogger
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SentinelLogSession0
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SentinelStatic
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LogProcessorService
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SentinelAgent
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SentinelHelperService
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SentinelMonitor
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SentinelStaticEngine
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Setup\FirstBoot\Services\LogProcessorService
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Setup\FirstBoot\Services\SentinelAgent
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Setup\FirstBoot\Services\SentinelHelperService
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Setup\FirstBoot\Services\SentinelMonitor
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Setup\FirstBoot\Services\SentinelStaticEngine
Only remove last DWORD SentinelOneLog_.binlog:
Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\SentinelOneLog_.binlog
Only remove Last Binary value "Sentinel Agent" =>
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Only delete last REG_SZ "Sentinel Agent" =>
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Can ignore any entries located under the following keys:
Computer\HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage
Computer\HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage
Computer\HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs
Computer\HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Computer\HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage
Computer\HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage
Computer\HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs
Computer\HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Computer\HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage
Computer\HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Computer\HKEY_USERS\S-1-5-21-1806770870-1541754041-2194150629-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage
Computer\HKEY_USERS\S-1-5-21-1806770870-1541754041-2194150629-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage
Computer\HKEY_USERS\S-1-5-21-1806770870-1541754041-2194150629-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs
After these entries are removed then you should make sure to delete the top directory and any item listed within:
C:\ProgramData\Sentinel\
C:\Program Files\SentinelOne\
Google Sites
Report abuse