Capture Client (CC): Exclusions from Third-Party AV

If you have a third-party Anti-Virus installed on endpoints, it might block Capture Client.

To let Capture Client co-exist with other security vendors:

1. See the vendor documentation to learn how to exclude applications from their security blocks.
2. Exclude these files and folders on the related operating system.

Windows

Make sure to exclude subfolders. Some solutions automatically exclude subfolders, but others require explicit notation.

Exclude these folders and the update file:

• C:\Users\*\Documents\afterSentDocuments
• C:\Users\*\AppData\Local\afterSentDocuments
• C:\Program Files\SentinelOne
• C:\ProgramData\Sentinel
• C:\Documents and Settings\All Users\Application Data\Sentinel

Exclude the SentinelOne Agent kernel-mode driver, service, and dynamic library:

• Kernel-Mode driver:
  • C:\Program Files\SentinelOne\Sentinel Agent <version>\SentinelMonitor.sys
• Windows Service:
  • C:\Program Files\SentinelOne\Sentinel Agent <version>\SentinelAgent.exe
• 32-bit DLL:
  • C:\Program Files\SentinelOne\Sentinel Agent <version>\InProcessClient32.dll
• 64-bit DLL:
  • C:\Program Files\SentinelOne\Sentinel Agent <version>\InProcessClient64.dll

MacOS

macOS Kextless Agent 4.6 +:

• /Library/Sentinel/
• /Applications/SentinelOne/
• /Library/SystemExtensions/*/com.sentinelone.network-monitoring.systemextension/
• /Library/Python/2.7/site-packages/sentinel.egg
• /usr/local/lib/python2.7/site-packages/sentinel.egg

Linux

There are different directories and files to exclude, based on the OS version and Linux distribution.

• To see the version and distro information of a Linux endpoint:
  • cat /etc/redhat-release 2> /dev/null ; cat /etc/lsb-release 2> /dev/null ; cat /etc/system-release 2> /dev/null ; cat /etc/os-release 2> /dev/null

Linux on these distros:

• Redhat/CentOS/Oracle Linux 7+
• SUSE 12 & 15
• Fedora 25 - 30
• Amazon Linux 2

Exclude:

• /opt/sentinelone/
• /usr/lib/systemd/system/sentinelone.service
• /sys/kernel/debug/tracing/events/kprobes/s1*/
• /sys/kernel/debug/tracing/events/kprobes/enable
• /sys/kernel/debug/tracing/events/kprobes/filter

Linux on these distros:

• Ubuntu 15.04+
• Debian 8+

Exclude:

• /opt/sentinelone/
• /var/lib/dpkg/info/sentinelagent.*
• /usr/lib/systemd/system/sentinelone.service
• /sys/kernel/debug/tracing/events/kprobes/s1*/
• /sys/kernel/debug/tracing/events/kprobes/enable
• /sys/kernel/debug/tracing/events/kprobes/filter

Linux on these distros:

• Ubuntu 14.04 (non-systemd)

Exclude:

• /opt/sentinelone/
• /etc/init.d/sentineld
• /var/lib/dpkg/info/sentinelagent.*

Linux on these distros:

• Redhat/CentOS/Oracle Linux 6.4 - 6.10
• Amazon Linux

Exclude:

• /opt/sentinelone/
• /etc/init.d/sentineld