SentinelOne agent command line tool

06/02/2023 31 People found this article helpful 475,262 Views

Description

SentinelCtl.exe is a command line tool that can be used to executes actions on Agent on a Windows endpoint. This can be typically used to unprotect, unload/disable, load/re-enable, protect and perform policy updates for S1 Agent on your devices. We recommend that you do not use this for any other purpose unless Support suggests.

Press the Windows Start key.

Enter: cmd

Right-click Command Prompt and select Run as administrator.

Go to the [C:\Program Files\SentinelOne\Sentinel Agent <Version>]

To run the tool: SentinelCtl.exe <command> [options]

To see all options of a command: SentinelCtl.exe <command> -help

Resolution

Useful commands are as follows:-

> SentinelCtl.exe unprotect -k "S1 Passphrase"

This disables the anti-tampering. Please refer to end of the article on how to obtain S1 Passphrase.

> SentinelCtl.exe unload -m -a

This Stops the Agent services

> SentinelCtl.exe load -m -a

This Starts Agent services.

> SentinelCtl.exe protect

Set Anti-Tampering. Protects the Agent from unauthorized changes or uninstall.

> sentinelctl unquarantine_net -k <S1 Passphrase>

Connect a disconnected endpoint (remove network quarantine).

> SentinelCtl.exe reload -m -a

Stop and then start the Agent services.

> SentinelCtl.exe is_scan_in_progress

To check if Full Disk Scan is in progress.

Return: Full disk scan in progress: with a value of True or False

> SentinelCtl.exe scan_folder -i path

To scan on a folder

Options:

-i, --infile

Folder to scan. If you do not use this parameter, the complete drive is scanned.

> SentinelCtl.exe is_scan_in_progress

To see if full disk scan is in progress

Returns: Full disk scan in progress: with a value of True or False

> SentinelCtl.exe status

To get the status of Agent services and policy basics.

Notes

Mitigation policy: none - The Agent does not enforce policy with mitigation.

Mitigation policy: quarantineThreat - The Agent enforces policy with kill and quarantine mitigation.

> SentinelCtl.exe ever_connected_to_management

Use this to check if S1 agent ever connected to management

Sample output

Mgmt key part: 4ba007899be132d45a1590ds4f2ff2f2f031c4ffa3

This command requires admin privileges (Run as Administrator) but does not require a passphrase.

> SentinelCtl.exe ie_protection [-e|-d] -k "<passphrase>"

This can be used to Enable or Disable IE protection. Requires reboot to apply.

Options:

-e, --enable

Enable IE protection.

-d, --disable

Disable IE protection.

> SentinelCtl.exe config agent.wscRegistration {1 | 0 } -k "<passphrase>"

Use this command to disable Windows Security Center (WSC). It is not recommended to disable WSC. By default, the SentinelOne Windows Agent registers with WSC as anti-virus protection and Windows Defender is disabled.

>SentinelCtl.exe config [-p] parameter [-d] [-v] value [-f {json | default}] -k "passphrase"

Use this command to change the configuration values of S1 Windows Agent

Options:

-p, --parameter

Specify the parameter to get or change. This flag is optional, but if not used to prefix the parameter name, the -v flag must not be used to prefix the value.

-d, --delete

Undo the change last made to this value through sentinelctl.

-v, --value

Set the configuration of the parameter to this value. If a value is not given, output shows the current value. If the -p flag is not used to prefix the parameter name, the -v flag must not be used to prefix the value.

-f, --format

Output configuration to json format or two-column text. To save as a file, use a redirect.

-k, --key

If Anti-Tampering is enabled on the Agent, all configure commands require validation.

NOTE: S1 Passphrase can be obtained by Capture Client admin (from management console) for the device. Go to "Devices" section and download devices list. Look for "S1 Passphrase" for the respective device in the downloaded list. Screenshots provided below for reference.