- Products
- Network Security
- Threat Protection
- Secure Access Service Edge (SASE)
- Cloud Security
- Endpoint Security
- Email Security
- Secure Access
-
Wi-Fi 6 Access Points
SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.
Read More
- Solutions
- Industries
- Use Cases
- Solutions Widgets
- Solutions Content Widgets
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
- Solutions Image Widgets
-
- Partners
- SonicWall Partners
- Partner Resources
- Partner Widgets
- Custom HTML : Partners Content WIdgets
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
- Partners Image Widgets
-
- Support
- Support
- Resources
- Capture Labs
- Support Widget
- Custom HTML : Support Content WIdgets
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
- Support Image Widgets
-
- COMPANY
- PROMOTIONS
- MANAGED SERVICES
- Contact Sales
-
- Menu
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
Mitigating the exposure to HiveNightmare/SeriousSAM (CVE-2021-36934) with Capture Client
07/30/2021 
0 People found this article helpful
186,071 Views
Description
The recommended workaround from Microsoft to address "CVE-2021-36934: Windows Elevation of Privilege Vulnerability" (also known as HiveNightmare/SeriousSAM ) includes deleting all Volume Shadowcopy Service (VSS) snapshots from your endpoints. However, as part of ransomware protection, Capture Client prevents the deletion of VSS snapshots. This article provides the minimal steps needed to delete all snapshots without having to uninstall Capture Client.
Resolution
Important Considerations
- In the steps below, the time elapsed between Step 2 and Step 4 should be as minimum as possible to minimise risk to your endpoints.
- Step 5 is an important step to accelerate availability of a snapshot. Rollback by Capture Client is only feasible if a snapshot is available BEFORE the first event of any attack.
- Snapshots are required to perform a rollback in the case of a targeted ransomware incident. It is recommended that these actions be performed only on the most critical endpoints until a permanent solution is made available.
Recommended Workaround Steps
- On the endpoint, start cmd with Run as Administrator.
cd c:\program files\sentinelone\sentinel agent <version>\ - Disable VSS Snapshots and Snapshot protection via command-line
sentinelctl unprotect -k <S1 Passphrase>
sentinelctl config -p vssConfig.vssProtection -v false
sentinelctl config -p agent.enginesWantedState.dataFiles -v off
sentinelctl config -p agent.enginesWantedState.penetration -v off - Implement the workaround suggested by Microsoft as mentioned in their security update. This involves deletion of VSS Snapshots using the command
vssadmin delete shadows /all - Re-enable VSS Snapshots and Snapshot protection via command-line
sentinelctl config -p agent.enginesWantedState.dataFiles -v local
sentinelctl config -p agent.enginesWantedState.penetration -v local
sentinelctl config -p vssConfig.vssProtection -v true
sentinelctl protect - Reboot all Windows endpoints to accelerate availability of a snapshot
Related Articles
- Capture Client - system requirements
- SentinelOne agent version availability with SonicWall Capture Client
- New Features, Enhancements and Resolved Issues in SentinelOne Agents
YES
NO