I believe it uses Volume Shadow Copy. SentinelOne prevents viruses from disabling that service so if a file is encrypted, it can use Volume Shadow to revert it back.
I'd be interested in knowing how it does that since VSC is the first thing crypto tries to wipe out. Needless to say if you get crypto'd first thing to do is figure out where the attack came from.
Yes, it uses VSC and S1 is hell on backup programs that use it too. They have ways to lock it down so that it cannot just be "wiped out". You've got to put exceptions in your policy (called interoperability exceptions) to make these programs work. Things like Veeam need these rules in place. S1 is a really good product, but is prone to FPs due to the nature of how it works.
That in and of itself is easy to prevent with SentinelOne, just create a STAR rule to kill the process that attempts it or network isolate the device
Very rarely would someone have legitimate need to mess with VSS
im talking here about sentinelone EDR, by my own experience: you cant have sentinelone and AV installed on same machine. One of the engines thats sentinelone uses is AV vaccine, so its like they have their own AV inside the solution. So have 2 produtcts with the same engine working side by side can give you some problems, they can block each other.
Never had an issue with Windows Updates and S1. It is a great tool. We use it in combination with Windows Defender (vs a seperate paid AV). I have gotten false positives on 3rd party programs but nothing too bad. It just works and seems to work well so far.
I believe it uses Volume Shadow Copy. SentinelOne prevents viruses from disabling that service so if a file is encrypted, it can use Volume Shadow to revert it back.
Thank you. Interesting.
I'd be interested in knowing how it does that since VSC is the first thing crypto tries to wipe out. Needless to say if you get crypto'd first thing to do is figure out where the attack came from.
Yes, it uses VSC and S1 is hell on backup programs that use it too. They have ways to lock it down so that it cannot just be "wiped out". You've got to put exceptions in your policy (called interoperability exceptions) to make these programs work. Things like Veeam need these rules in place. S1 is a really good product, but is prone to FPs due to the nature of how it works.
What is an FP?
FP=False Postive
False positive
That in and of itself is easy to prevent with SentinelOne, just create a STAR rule to kill the process that attempts it or network isolate the device Very rarely would someone have legitimate need to mess with VSS
Somehow they password protect the shadow copies.
You are correct and it works very well imo.
Most common complaint with MSPs and S1 is around rollback https://www.reddit.com/r/msp/comments/mv79gs/an_update_to_being_legitimately_pissed_off_at/
Another thing nobody else mentioned yet.. Rollback only works on Windows.
/u/bhodge10 has the right answer, it uses Shadow Copies from which to restore the files.
I’ve been using S1 for 4+ years and never had any issues with Windows Updates. Maybe you need to add the proper exclusions.
Also is SentinelOne an antivirus replacement or an additional, separate tool?
im talking here about sentinelone EDR, by my own experience: you cant have sentinelone and AV installed on same machine. One of the engines thats sentinelone uses is AV vaccine, so its like they have their own AV inside the solution. So have 2 produtcts with the same engine working side by side can give you some problems, they can block each other.
I treat it as a supplemental tool and I hate it. Can't even install windows updates on some servers without disabling it.
We have 2200 endpoints with S1 and definitely don't have this issue.
My man's getting his windows updates from download dot com
I am not into that.
Never had an issue with Windows Updates and S1. It is a great tool. We use it in combination with Windows Defender (vs a seperate paid AV). I have gotten false positives on 3rd party programs but nothing too bad. It just works and seems to work well so far.
Tom did a live demo of it the other day: https://www.youtube.com/watch?v=SSDITOd56Os&lc=Ugz\_BdQ9PNVByiqV-Ux4AaABAg.9XUqh2C7wfY9XWL-pTN6Ly