How to purge crash dumps created by Capture Client Threat Protection Engine

Description

In rare cases, the Capture Client Threat Protection Engine (SentinelOne) components (SentinelAgent.exe and AgentUI.exe) may crash. When this occurs, crash dump files are generated and stored in the following directory:

  • C:\ProgramData\Sentinel\CrashDumps

These dump files are useful for analyzing and identifying the root cause of the agent component crash.

 

NOTE: Currently, agents do not automatically purge these dump files. Alternatively, you can define a maximum limit for the number of crash dump files to be retained. Once this limit is reached, the agent will automatically delete older dump files and store new ones. For configuration steps, refer to the section “How to set max count of agent crash dumps” at the end of this article.

 

Steps to delete these dumps files:

 

NOTE: Please collect the files and send to support for analysis before deleting them.

Method 1: Via Management Console

  1. Log in to your Capture Client Management Portal and select SentinelOne to get redirected to the SentinelOne console.
  2. Navigate to Sentinels → click on the endpoint [endpoint detail will open] → Actions, then search for “Purge Crash Dumps” and click on it.

 

Method 2: Directly on the Machine

  1. Obtain the agent passphrase. Refer section "HOW TO OBTAIN S1 PASSPHRASE?" in the end of this KB article.
  2. Alternatively, in the SentinelOne console, go to Sentinels, select the agent, and click Actions → Show Passphrase.
  3. Open Command Prompt (CMD) with administrator privileges.
  4. Navigate to the agent installation directory and disable anti-tampering:
    cd "C:\Program Files\SentinelOne\Sentinel <Agent Version>"
    (Replace with the installed version. You can use the TAB key for auto-completion.)
    sentinelctl unprotect -k "PASS PHRASE"
    sentinelctl unload -a -m
  5. Delete the contents from the following directory:
    C:\ProgramData\Sentinel\CrashDumps\
  6. Reload and re-enable protection for the agent:
    sentinelctl load -a -m
    sentinelctl protect

 

How to Set the Maximum Count of Agent Crash Dumps:

  1. Open Command Prompt (CMD) with administrator privileges.
  2. Navigate to the agent installation directory:

    cd "C:\Program Files\SentinelOne\Sentinel Agent <version>"

    (Replace with the installed agent version. You can use the TAB key for auto-completion.)
  3. Run the following command to configure the maximum number of crash dump files:
    sentinelctl config maxCountCrashdumps <V> -k "MY PASS PHRASE"

NOTE: Replace <V> with a value between 0 and 255, depending on the maximum number of crash dump files you want to retain. If you set the value to 0, the crash dump file will be saved and then deleted.

 

HOW TO OBTAIN S1 PASSPHRASE?

S1 Passphrase can be obtained by Capture Client admin (from management console) for the device. Go to Assets> Devices section and click on export icon Image  to download devices list 

Look for "S1 Passphrase" in the csv file for the respective device in the downloaded list

Related Articles

  • Integrating SonicWall Capture Client with SonicWall Firewalls
    Read More
  • How to use Resource Monitor to see if a Capture Client Interoperability Exclusion is Being Applied
    Read More
  • Capture Client – Migrate local CMC user login to MySonicWall account login
    Read More
not finding your answers?