SentinelOne (S1): Excluding S1 from Third-Party AV

Description

If you have a third-party Anti-Virus installed on endpoints, it might block SentinelOne.

 

To let SentinelOne co-exist with other security vendors:

  1. See the vendor documentation to learn how to exclude applications from their security blocks.
  2. Exclude the following files and folders for the related operating system.

Windows

Make sure to exclude subfolders. Some solutions automatically exclude subfolders, but others require explicit notation.

Exclude these folders and the update file:

  • C:\Users\*\Documents\afterSentDocuments
  • C:\Users\*\AppData\Local\afterSentDocuments
  • C:\Program Files\SentinelOne
  • C:\ProgramData\Sentinel
  • C:\Documents and Settings\All Users\Application Data\Sentinel

Exclude the SentinelOne Agent kernel-mode driver, service, and dynamic library:

  • Kernel-Mode driver:
    • C:\Program Files\SentinelOne\Sentinel Agent <version>\SentinelMonitor.sys
  • Windows Service:
    • C:\Program Files\SentinelOne\Sentinel Agent <version>\SentinelAgent.exe
  • 32-bit DLL:
    • C:\Program Files\SentinelOne\Sentinel Agent <version>\InProcessClient32.dll
  • 64-bit DLL:
    • C:\Program Files\SentinelOne\Sentinel Agent <version>\InProcessClient64.dll
MacOS

macOS Kextless Agent 4.6 +:

  • /Library/Sentinel/
  • /Applications/SentinelOne/
  • /Library/SystemExtensions/*/com.sentinelone.network-monitoring.systemextension/
  • /Library/Python/2.7/site-packages/sentinel.egg
  • /usr/local/lib/python2.7/site-packages/sentinel.egg
Linux

There are different directories and files to exclude, based on the OS version and Linux distribution.

  • To see the version and distro information of a Linux endpoint:
    • cat /etc/redhat-release 2> /dev/null ; cat /etc/lsb-release 2> /dev/null ; cat /etc/system-release 2> /dev/null ; cat /etc/os-release 2> /dev/null
Linux on these distros:
  • Redhat/CentOS/Oracle Linux 7+
  • SUSE 12 & 15
  • Fedora 25 - 30
  • Amazon Linux 2
    • Exclude:
      • /opt/sentinelone/
      • /usr/lib/systemd/system/sentinelone.service
      • /sys/kernel/debug/tracing/events/kprobes/s1*/
      • /sys/kernel/debug/tracing/events/kprobes/enable
      • /sys/kernel/debug/tracing/events/kprobes/filter
Linux on these distros:
  • Ubuntu 15.04+
  • Debian 8+
    • Exclude:
      • /opt/sentinelone/
      • /var/lib/dpkg/info/sentinelagent.*
      • /usr/lib/systemd/system/sentinelone.service
      • /sys/kernel/debug/tracing/events/kprobes/s1*/
      • /sys/kernel/debug/tracing/events/kprobes/enable
      • /sys/kernel/debug/tracing/events/kprobes/filter

 

Linux on these distros:

  • Ubuntu 14.04 (non-systemd)
    • Exclude:
    • /opt/sentinelone/
    • /etc/init.d/sentineld
    • /var/lib/dpkg/info/sentinelagent.*
Linux on these distros:
  • Redhat/CentOS/Oracle Linux 6.4 - 6.10
  • Amazon Linux
    • Exclude:
      • /opt/sentinelone/
      • /etc/init.d/sentineld

Related Articles

  • MPSS Frequently Asked Questions (FAQs)
    Read More
  • Getting Started with MPSS
    Read More
  • MSS FMM: NSM - Frequently Asked Questions (FAQs)
    Read More

Categories

Managed Security Services
Endpoint Managed Detection and Response
MDR for SentinelOne
not finding your answers?
Ask the Community