Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Configuring Windows VSS for Rollback

07/29/2021 28 People found this article helpful 98,177 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    This Article explains about how to configure VSS on windows computers for capture client rollback feature to work 

    The capture client (Advanced) Rollback feature uses the Microsoft Windows Volume Shadow Copy Service (VSS). This service saves a snapshot of the endpoint drives (physical and logical). The service saves changes of the drive to a new snapshot on an interval.

    Note: VSS does not save copies of mapped network shares.

    Resolution

    Getting started


    VSS start options are set on the endpoint OS.

    1. If the service is disabled on endpoints, shadow copies are not saved and Rollback will not work.
      Note:  On Windows Server 2008 R2, the Agent always starts the service and saves shadow copies.
    2. If the service is set to Manual or Automatic start, the SentinelOne Agent makes sure that shadow copies are saved. 
      Important:  If the service is disabled on an endpoint, and you change it to Manual or Automatic, the Agent does not take a snapshot until the endpoint is rebooted.
    3. Shadow copies are protected from accidental delete when the Agent is installed.
      Note: once you change/enable VSS service to Manual or Automatic, the Agent does not take a snapshot until the endpoint is rebooted.


    Image


    To see shadow copies and add copies on an endpoint:

    1. On the endpoint, start cmd with Run as Administrator.
    2. Run:  vssadmin list shadows
    3. In the output, see the shadow copies of the Agent. The Type is:  ApplicationRollback
    4. If there are no copies, enable the service:
      vssadmin Add ShadowStorage /For=drive /On=storage_drive /MaxSize=percent%
      For example:  vssadmin Add ShadowStorage /For=C: /On=C: /MaxSize=10%

    Image

    If there are no copies, please verify if Volume Shadow Copy Service has been enabled/running, if not, enable the service. As the shadow copies will not be saved and Rollback will not work if the VSS service is disabled on endpoints, hence make sure VSS service has been enabled and shadow copies are saved periodically. 

    Note: Shadow copies can take up huge space on your hard drive. This is especially important on virtual systems. We recommend you to set the minimum VSS percent disk utilization to 10% and not to be less than 5%. VSS space configuration changes the number of stored copies. When the allocated space is filled, the next VSS snapshot replaces older copies.


    To see used space in Windows 7 and higher:

    Image

    1. Open System and Security >  System.
    2. Click System protection.
    3. In the System Properties window, open the System Protection tab.
      Make sure the drives you want to be able to rollback are selected. The SentinelOne Agent creates a new snapshot (restore point) when the endpoint shuts down or starts. If you want to make a new snapshot for this drive on this endpoint, click Create.
    4. Click Configure.
      The System Protection for drive window opens. See the Current Usage and Max Usage.



    To configure Windows for optimal disk space:


    Shadow copies can take up space. This is especially important on virtual systems. We recommend that you set the minimum VSS percent disk utilization to 10%. We highly recommend that it not be less than 5%. VSS space configuration changes the number of stored copies. When the allocated space is filled, the next VSS snapshot replaces older copies.

    The Agent respects the limits set by the operating system and does not change the VSS configuration. It does not exceed the allocated space or maximum limit of stored copies (512).

    1. On the endpoint, start cmd with Run as Administrator.
    2. Run:  vssadmin List ShadowStorage

      The last line of the output shows the maximum storage in GB and in percent of the total.

    3. Change the space allocation for VSS:

      vssadmin Resize ShadowStorage /For=<drive> /On=<storage_drive> /MaxSize=<percent>%
      Example: vssadmin Resize ShadowStorage /For=C: /On=C: /MaxSize=10%

      Space allocation impacts security!
      Imagine that you set the Windows allocated space for shadow copies to 1% of the disk space of an endpoint. Your Agent is set to save a copy every 4 hours. The endpoint is attacked successfully by ransomware. You must mitigate with Rollback in less than 4 hours - 4 hours from the last copy, not 4 hours from the attack. If you wait too long, the good copies (before the attack) are replaced with copies of the encrypted drive or files. If the attack happens just before the interval roll, your security team has almost no chance with 1% space.

      The minimum recommended space allocation of 5 to 10 percent is enough to give you time to respond with a successful mitigation.

    To change the VSS interval snapshots:

    The default times for VSS to take a new snapshot, as set in the OS, are usually specific hours, twice a day. The Agent sets the interval by default to every four hours, starting at Agent install. Shadow copies are made at a different time for each endpoint, not by the clock. When you create Agent packages or change an Agent configuration, you can change the interval. If you change the interval to zero, shadow copies are disabled.  

    Note:  The counter for the interval does not move when the endpoint is on sleep mode or hibernate. For example, if the endpoint takes a snapshot at midnight, then sleeps for one hour, and is then active for four hours, the next snapshot (with an interval of 4 hours) will be taken at 5:00 AM (and not at 4:00 AM). 

    • Go to "Devices" section and download devices list (as shown below) 

    Image


    Look for "S1 Passphrase" for the respective device in the downloaded list  (highlighted below) . 

    Image


    • On the endpoint, start cmd with Run as Administrator.
      Go to the SentinelOne directory: 
      cd c:\program files\sentinelone\sentinel agent <version>\

    • Turn off the Agent self-protection. With the passphrase that you copied, run:
      sentinelctl.exe unprotect -k "<passphrase>"
      The unprotect command is necessary to change the configuration of the Agent. Complete this procedure quickly. Do not leave the Agent vulnerable for longer than necessary.
    • Run the command to change the interval.
      sentinelctl.exe configure -p agent.snapshotIntervalMinutes -v <minutes>
      The output shows the interval. For example:240 = every 4 hours .

      Note: If the output is 0, no shadow copies are saved. This is for specific environment limitations that require you temporarily turn off VSS snapshots for some Agents. If other programs use VSS and take snapshots, Rollback will work. It will depend on the frequency of the other programs and how quickly mitigation is run. 

    • Unload the Agent: sentinelctl.exe unload -a
    • Load the Agent again: sentinelctl.exe load -a
    • Turn on the Agent self-protection: sentinelctl.exe protect

    Note:  If the snapshot interval stays the same after the change, restart the endpoint.


    To enable VSS for all endpoints:


    Send a Windows policy through the Active Directory Group Policy Object (GPO) server.

    1. On your Domain Controller server, click Start and enter: mmc
    2. In the Windows Console window, click File > Add/Remove Snap-in.
    3. Add the Group Policy Management snap-in.
    4. In Domains > the domain to configure, right-click Default Domain Policy and select Edit.
    5. In the Group Policy Manager Editor, click Computer Configuration > Preferences > Control Panel Settings.
    6. Right-click Services and select New > Service.
    7. In New Service Properties > Startup, click Manual.
    8. In the Service name list, select VSS (Volume Shadow Copy).
    9. In Log on as, select Local System account.
    10. Click OK.

    To configure all endpoints consistently for VSS:


    1. Make sure the change does not impact other programs. Run: vssadmin list shadowsThe output shows, with other data, the Type of each copy. ApplicationRollback is SentinelOne. Look at other types and make sure you understand their purpose. Run vssadmin list writers to learn more about other programs. Note: Not all programs that use VSS are listed as writers.
    2. In the Domain Controller Group Policy Manager Editor, open Control Panel Settings.
    3. Right-click Scheduled Tasks and select New > Scheduled Task (At least Windows 7).
    4. In the window that opens, enter a name for the Task and select the Domain Administrator account to use.
    5. In the Action list, click Create.
    6. In the Trigger tab, click New.
    7. In the window that opens, in the Begin the task list, click At log on.
    8. Click OK.
    9. In the Actions tab, click New.
    10. In the window that opens, in the Action list, click Start a program.
    11. In Program/Script, enter the command to configure the VSS service with the recommended maximum storage size of 10%:  cmd /c "vssadmin Resize ShadowStorage /For=c: /On=C: /MaxSize=10%"
    12. Click OK.  The change is applied to endpoints after they reboot.

    To restore shadow copies:


    You can restore folders and files affected in the threat group with granular control, using third-party tools. This procedure uses the ShadowExplorer. We cannot be responsible for the results. We offer these steps as extra information. See the ShadowExplorer documentation.

    1. Download ShadowExplorer.
    2. Install and run it. See ShadowExplorer.com for instructions.
    3. In the main window, select the drive and backup time of the restore point.
    4. Select the folders and files to restore.
    5. Right-click and select Export.
    6. In the window that opens, create or select a folder.
    7. Click OK.
                                                                                                                                                                                     

    To disable VSS protection completely:

     
    These steps turn off VSS and Rollback completely. If you want to stop taking new snapshots temporarily, use the Interval Change steps.

    1. Turn off the Agent self-protection. With the passphrase that you copied, run: sentinelctl.exe unprotect -k "<passphrase>"
    2. Turn off VSS protection: sentinelctl config -p agent.vssConfig.vssProtection -v falsesentinelctl config -p agent.vssSnapshots -v false
    3. Turn on the Agent self-protection: sentinelctl.exe protect
    4. Reboot the endpoint.

    To delete snapshots:

    Important:  This procedure uses vssadmin, which is a Microsoft tool. For help with vssadmin specific issues, please contact Microsoft.

    1. Turn off the Agent self-protection.
      With the passphrase that you copied, run: sentinelctl.exe unprotect -k "<passphrase>"
    2. Disable deletion-protection for shadow copies.
      Run: sentinelctl config -p vssConfig.vssProtection -v false
    3. Open cmd or powershell as administrator and run the relevant command:
      • To delete all shadow copies:  vssadmin delete shadows /all 
      • To delete the oldest:  vssadmin delete shadows /For=C:/Oldest
      • To select shadow copies to delete, get a list of the shadow copy IDs and then delete by ID:
        vssadmin list shadows
        vssadmin delete shadows /shadow=<ShadowID>
      • If you see this error:
        "Error: Snapshots were found, but they were outside of your allowed context.  Try removing them with the backup application which created them."
        • Log in as an administrator. Membership in the local Administrators group, or equivalent, is required to run DiskShadow.
        • Start DiskShadow:  Diskshadow
        • Run:  delete shadows all
    4. Turn on the Agent self-protection:
      sentinelctl.exe protect

    Related Articles

    • How to configure Web Content Filtering on Capture Client 3.6
    • How to export logs from the Capture client console and the endpoint
    • How to Download and Install Capture Client

    Categories

    • Endpoint Security > Capture Client > Settings

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:4ee82ce2006b54d95245027ae7978e4a-89