SentinelOne agent command line tool

02/25/2025 33 People found this article helpful 495,454 Views

Description

sentinelctl is a command line tool that can be used to execute actions on a Windows/MACOS endpoint. This can be typically used to unprotect, unload/disable, load/re-enable, protect and perform policy updates for S1 Agent on your devices.
CAUTION: We recommend that you do not use this for any other purpose unless Support suggests.

WINDOWS:

Open Command Prompt and run as an administrator

Go to the C:\Program Files\SentinelOne\Sentinel Agent <Version>

To run the tool: sentinelctl <command> [options]

To see all options of a command: sentinelctl -help

MACOS:

Open terminal

Go to the /Library/Sentinel

To run the tool: sudo sentinelctl <command> [make sure to run with sudo as it will only work when run as an admin]

To see all the options of a command: sentinelctl -help

Resolution

SENTINELONE COMMANDS:

To disable Anti-Tampering:
sentinelctl unprotect -k <S1 Passphrase>

NOTE: Please refer to end of the article on how to obtain S1 passphrase

To Enable Anti-Tampering:
sentinelctl protect

To Stop the Agent Services:
sentinelctl unload -m -a

To Start the Agent services:
sentinelctl load -m -a

To connect a disconnected endpoint/To remove network quarantine and connect back to network:
sentinelctl unquarantine_net -k <S1 Passphrase>

To Restart the Agent Services:
sentinelctl reload -m -a

To Get the Status of Agent Services and Policy Basics:
sentinelctl status
TIP: If you see the output for Mitigation Policy: none then it means "The Agent does not enforce policy with mitigation" whereas for Mitigation Policy: quarantineThreat means "The Agent enforces policy with kill and quarantine mitigation".

To Check if Full Disk Scan is in Progress:
sentinelctl is_scan_in_progress
TIP: It will return the output as Full disk scan in progress: True or False

To Scan a Folder:
sentinelctl scan_folder -i path
TIP: Use the option -i, --infile to scan a folder. If you do not use this parameter then the complete drive is scanned

To Check if S1 Agent ever Connected to Management:
sentinelctl ever_connected_to_management
EXAMPLE: Sample Output "Mgmt key part: 4ba007899be132d45a1590ds4f2ff2f2f031c4ffa3"

To Enable or Disable IE protection:
sentinelctl ie_protection [-e|-d] -k <S1 Passphrase>

Options:
-e, --enable [Enables IE protection]
-d, --disable [Disables IE protection]
NOTE: This command requires reboot to apply.

To Disable Windows Security Center (WSC):
sentinelctl config agent.wscRegistration {1 | 0 } -k <S1 Passphrase>
NOTE: It is not recommended to disable WSC. By default, the SentinelOne Windows Agent registers with WSC as anti-virus protection and Windows Defender is disabled.

To Change the Configuration Values of S1 Windows Agent:
sentinelctl config [-p] parameter [-d] [-v] value [-f {json | default}] -k "S1 Passphrase"

Options:
-p, --parameter [Specify the parameter to get or change. This flag is optional, but if not used to prefix the parameter name, the -v flag must not be used to prefix the value]
-d, --delete [Undo the change last made to this value through sentinelctl]
-v, --value [Set the configuration of the parameter to this value. If a value is not given, output shows the current value. If the -p flag is not used to prefix the parameter name, the -v flag must not be used to prefix the value]
-f, --format [Output configuration to json format or two-column text. To save as a file, use a redirect]
-k, --key [If Anti-Tampering is enabled on the Agent, all configure commands require validation]

HOW TO OBTAIN S1 PASSPHRASE?

S1 Passphrase can be obtained by Capture Client admin (from management console) for the device. Go to Assets> Devices section and click on export icon to download devices list