- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
Mitigating the exposure to HiveNightmare/SeriousSAM (CVE-2021-36934) with Capture Client
07/30/2021 
0 People found this article helpful
32,120 Views
Description
The recommended workaround from Microsoft to address "CVE-2021-36934: Windows Elevation of Privilege Vulnerability" (also known as HiveNightmare/SeriousSAM ) includes deleting all Volume Shadowcopy Service (VSS) snapshots from your endpoints. However, as part of ransomware protection, Capture Client prevents the deletion of VSS snapshots. This article provides the minimal steps needed to delete all snapshots without having to uninstall Capture Client.
Resolution
Important Considerations
- In the steps below, the time elapsed between Step 2 and Step 4 should be as minimum as possible to minimise risk to your endpoints.
- Step 5 is an important step to accelerate availability of a snapshot. Rollback by Capture Client is only feasible if a snapshot is available BEFORE the first event of any attack.
- Snapshots are required to perform a rollback in the case of a targeted ransomware incident. It is recommended that these actions be performed only on the most critical endpoints until a permanent solution is made available.
Recommended Workaround Steps
- On the endpoint, start cmd with Run as Administrator.
cd c:\program files\sentinelone\sentinel agent <version>\ - Disable VSS Snapshots and Snapshot protection via command-line
sentinelctl unprotect -k <S1 Passphrase>
sentinelctl config -p vssConfig.vssProtection -v false
sentinelctl config -p agent.enginesWantedState.dataFiles -v off
sentinelctl config -p agent.enginesWantedState.penetration -v off - Implement the workaround suggested by Microsoft as mentioned in their security update. This involves deletion of VSS Snapshots using the command
vssadmin delete shadows /all - Re-enable VSS Snapshots and Snapshot protection via command-line
sentinelctl config -p agent.enginesWantedState.dataFiles -v local
sentinelctl config -p agent.enginesWantedState.penetration -v local
sentinelctl config -p vssConfig.vssProtection -v true
sentinelctl protect - Reboot all Windows endpoints to accelerate availability of a snapshot
Related Articles
- Upgrading and Migrating Clients to Capture Client 3.6
- How do I send capture client TSR to tech support
- Recommendations for Ransomware Protection with Capture Client
YES
NO