VSS Writer Exclusions
⚠️ Important Security Notice: Excluding VSS Writers removes SentinelOne protection from that data. Only exclude writers when absolutely necessary for backup compatibility.
Overview#
This guide shows you how to exclude specific VSS Writers from SentinelOne protection to resolve compatibility issues with backup software using the SentinelCtl command line method.
The SentinelOne agent protects VSS shadow copies from malicious changes and deletion. However, some backup applications may require specific VSS Writers to be excluded from SentinelOne monitoring to function properly.
Configuration Steps#
1. Identify VSS Writers#
Open Command Prompt as Administrator and run the following command to list all VSS Writers:
vssadmin list writersExample output showing SqlServerWriter with its Writer ID
2. Copy the Writer ID#
From the command output, locate the Writer Id field for the VSS Writer you want to exclude. Copy the entire GUID including the curly braces.
Example: {a65faa63-5ea8-4ebc-9dbd-a0c4db26912a}
3. Navigate to SentinelOne Directory#
Change to the SentinelOne installation directory:
cd C:\Program Files\SentinelOne\Sentinel Agent4. Configure the Exclusion#
For a single VSS Writer:
sentinelctl.exe config -p agent.vssConfig.excludedVssWriters -v {WriterID} -k "your-passphrase"For multiple VSS Writers:
sentinelctl.exe config -p agent.vssConfig.excludedVssWriters -v {ID1},{ID2},{ID3} -k "your-passphrase"Real example:
sentinelctl.exe config -p agent.vssConfig.excludedVssWriters -v {a65faa63-5ea8-4ebc-9dbd-a0c4db26912a} -k "MyPassphrase123"5. Restart the SentinelOne Agent#
Unload the agent:
sentinelctl.exe unload -a -k "your-passphrase"Load the agent:
sentinelctl.exe load -aVerification#
Confirm the exclusion was applied successfully by running:
sentinelctl.exe config -p agent.vssConfig.excludedVssWriters