SentinelOne on SolCyber Knowledgebase

Windows Agent Installation

Mon, 01 Jan 0001 00:00:00 +0000

Installation of Windows agent version 23.4 and above DOES NOT require a system reboot.

If you are installing any agent version before 23.4, a system reboot is required to complete installation.

Install with interactive GUI wizard#

Run the installation package and enter the Site Token when prompted in the installation wizard.

Linux Agent Installation

Mon, 01 Jan 0001 00:00:00 +0000

No reboot is required for installation on Linux endpoints

Option 1: Deploy Agent with a Configuration File#

Version 21.5+ of the Linux Agent supports an easier deployment. Rather than run the commands to install, associate, activate, and then set a proxy (if applicable), you can set one configuration file to use these variables.

1. Create a configuration file with the installation parameters, each on a separate line.

Supported Operating Systems

Mon, 01 Jan 0001 00:00:00 +0000

Windows#

Microsoft Windows Operating System Versions#

Windows OS	Details
Windows Server Core	2019, 2016, 2012
Windows Server	2022, 2019, 2016, 2012 R2, 2012, 2008 R2 SP1
Windows Storage Server	2016, 2012 R2, 2012
Windows 7 SP1, 8, 8.1, 10, 11	32/64-bit

Minimum Hardware Requirements#

Minimum	Recommended
1 GHz CPU or better	Dual-core. You can install on a single-core CPU, but performance will not be optimal.
1 GB RAM or more	3 GB recommended
2 GB free disk space on the Windows partition	If you are taking VSS snapshots, add an additional 10%.

CPU micro-architectures such as x86_32, ARM, RISC, MIPS are not supported by SentinelOne components

Windows Agent Installer Command Line Options

Mon, 01 Jan 0001 00:00:00 +0000

If you are installing an agent version 21.x or lower, please use the legacy command line options.

Example Usage:

CMD

text

SentinelOneInstaller.exe -q -b -t <site_token>

Powershell

text

./SentinelOneInstaller.exe -q -t <site_token>

-b, --reboot_on_need

Optional. Automatically reboot the endpoint when required to continue with the installation.
-t`` site_Token or group_Token is the site token or group token.
-q, --qn

Optional unless you use a deployment tool to install the Agent (then it is mandatory).

Interoperability Exclusions

Mon, 01 Jan 0001 00:00:00 +0000

The SentinelOne agent can sometimes present interoperability issues with other applications, either SentinelOne prevents another application from operating properly, or another application prevents the SentinelOne agent from operating properly. In the SentinelOne console, the SolCyber SOC can add exclusions that will prevent SentinelOne from interacting with certain files and directories to prevent such issues.

The following list represents applications that SentinelOne provides some out-of-the-box interoperability exclusions for. Please let us know if you use any of the following applications on devices where you plan to install the S1 agent.

Uninstalling/Disabling SentinelOne

Mon, 01 Jan 0001 00:00:00 +0000

Due to the tamper protection feature in the SentinelOne agent, the easiest way to uninstall or disable the agent is to open a ticket with the SolCyber SOC. We will send an uninstallor disable command to the device. In instances when the device in question is offline or otherwise unreachable by the SentinelOne console, local uninstalls/disable can be performed, but each device’s unique passphrase is required to complete the action due to the tamper protection. The SolCyber SOC can provide you with the passphrase.

SentinelOne Data Collection List

Mon, 01 Jan 0001 00:00:00 +0000

Management Console Data Collection#

The SentinelOne Agent collects these datasets:

Hardware data:
- Machine type
- Architecture
- Memory
- CPU information
- Core count
- Mac address
Solutions conﬁguration information: Customer instance settings (including users emails, phone numbers)
User and device data:
- Agent ID
- Endpoint Name
- Workgroup/domain
- User name
- Disk encryption state
- Installed applications - installation time, size, publisher and version.
- OS type
- OS version
- SentinelOne Agent version
- SMTP username
- User login/out time
- External devices control rules
- Firewall control rules, and event notiﬁcations (such as details of blocked application events)
- Notiﬁcation of interface connection (USB/Bluetooth) and hardware information
Integrations to the Console and global conﬁguration of connected endpoints
Process activity:
- Time of machine activity
- Running processes (name, ID, CPU usage, memory)
- Full ﬁle path
- In cases of suspected threats, the SentinelOne Agent collects for each process:
  - File metadata
  - Hash
  - File type
  - Certiﬁcate (for veriﬁed or not)
  - Command-line arguments
  - Network access metadata only: IP Address; protocol
  - Registry: created keys; deleted keys; modiﬁed key names
- Network Data:
  - Internal network IP address
  - Public IP address (if running cloud-based management)
  - Inbound/Outbound connections, metadata only (source, target, port, and application)
- Fetched Files:
  - Any ﬁle fetched by user (encrypted at rest, deleted after 72 hours)

Cloud Data#

SentinelOne collects the data of the cloud service provider for each Linux and K8s Agent that is recognized as a server (Sentinels > Endpoints > Machine Type = Server ).

Agent Troubleshooting

Mon, 01 Jan 0001 00:00:00 +0000

When troubleshooting issues with SentinelOne agents, a SolCyber SOC engineer will usually open a ticket with SentinelOne support. To expedite resolution, we ask that some data or log collection be done on the device so that we can provide the details to SentinelOne support.

Windows#

To collect installation logs from Windows endpoints:#

In File Explorer, enter:
- C:\Windows\Temp\
- %temp%
  
  This redirects to C:\Users\<USER>\AppData\Local\Temp\ where <USER> is the logged-in user.
In each of these file paths, look for sentinelinstaller files. The file path can be different configuration of your operating system.

SentinelOne Endpoint Actions

Mon, 01 Jan 0001 00:00:00 +0000

In the SolCyber Customer Portal, you can run an Endpoint report to show any SentinelOne agents that are missing a necessary permission, or require an action (such as rebooting) to restore full functionality to the agent. Please use the chart below to find a description for the most common values found in the “Action Needed” column of this report. If your report contains an action that is not listed here, please contact the SOC at soc@SolCyber.com so that we can assist.

VSS Writer Exclusions

Mon, 01 Jan 0001 00:00:00 +0000

⚠️ Important Security Notice: Excluding VSS Writers removes SentinelOne protection from that data. Only exclude writers when absolutely necessary for backup compatibility.

Overview#

This guide shows you how to exclude specific VSS Writers from SentinelOne protection to resolve compatibility issues with backup software using the SentinelCtl command line method.

The SentinelOne agent protects VSS shadow copies from malicious changes and deletion. However, some backup applications may require specific VSS Writers to be excluded from SentinelOne monitoring to function properly.