Configuring Windows VSS for Rollback and Changing VSS Interval

SentinelOne Rollback mitigation feature uses the Microsoft Windows Volume Shadow Copy Service (VSS). This service saves a copy-on-write snapshot of the endpoint drives (physical and logical). The service saves changes of the drive to a new snapshot on an interval.

Note: VSS does not save copies of mapped network shares.

To enable SentinelOne Rollback mitigation, make sure that the VSS service is not disabled on your endpoints. Configure VSS and its options in the Windows OS of your endpoints.
Important! Windows commands (such as vssadmin ) are case-insensitive, but SentinelOne commands (such as sentinelctl) are case-sensitive. Enter the commands with the character-case we show here.

Getting Started

VSS start options are set on the endpoint OS.

• If the service is disabled on endpoints, shadow copies are not saved and Rollback will not work.

Note: On Windows Server 2008 R2, the Agent always starts the service and saves shadow copies.

• Log in to the endpoint permissions: sudo for macOS, root or sudo for Linux, Administrator for Windows.
• If the service is set to Manual or Automatic start, the SentinelOne Agent makes sure that shadow copies are saved.

Important: If the service is disabled on an endpoint, and you change it to Manual or Automatic, the Agent does not take a snapshot until the endpoint is rebooted.

• Shadow copies are protected from accidental delete when the Agent is installed.

To see SentinelOne shadow copies and to add copies on an endpoint:

1. On the endpoint, start cmd with Run as Administrator.Run: vssadmin list shadows
2. In the output, see the shadow copies of the Agent. The Type is: ApplicationRollback
3. If there are no copies, enable the service:

vssadmin Add ShadowStorage /For=drive /On=storage_drive /MaxSize=percent%
For example: vssadmin Add ShadowStorage /For=C: /On=C: /MaxSize=10%

To see used space in Windows 7 and higher:

1. Open System and Security > System.
2. Click System protection.
3. In the System Properties window, open the System Protection tab.

Make sure the drives you want to be able to rollback are selected.

The SentinelOne Agent creates a new snapshot (restore point) when the endpoint shuts down or starts. If you want to make a new snapshot for this drive on this endpoint, click Create.

4. Click Configure.

The System Protection for drive window opens. See the Current Usage and Max Usage.

To configure Windows for optimal disk space:

Shadow copies can take up space. This is especially important on virtual systems. We recommend that you set the minimum VSS percent disk utilization to 10%. We highly recommend that it not be less than 5%. VSS space configuration changes the number of stored copies. When the allocated space is filled, the next VSS snapshot replaces older copies.

Important! If you do not set a limit in Windows VSS, the Agent sets it to 10%. If the Agent detects a confirmed ransomware, it raises the allocated space and takes more snapshots, to make sure it has clean snapshots for Rollback.

SentinelOne respects the limits set by the operating system. The Agent does not change the VSS configuration. It does not exceed the allocated space or maximum limit of stored copies (512).

1. On the endpoint, start cmd with Run as Administrator.
2. Run: vssadmin List ShadowStorage

The last line of the output shows the maximum storage in GB and in percent of the total.

3. Change the space allocation for VSS:

vssadmin Resize ShadowStorage /For= /On= /MaxSize=%
Example: Resize space allocation
vssadmin Resize ShadowStorage /For=C: /On=C: /MaxSize=10%
Space allocation impacts security!

Imagine that you set the Windows allocated space for shadow copies to 1% of the disk space of an endpoint. Your Agent is set to save a copy every 4 hours. The endpoint is attacked successfully by ransomware. You must mitigate with Rollback in less than 4 hours – 4 hours from the last copy, not 4 hours from the attack. If you wait too long, the good copies (before the attack) are replaced with copies of the encrypted drive or files. If the attack happens just before the interval roll, your security team has almost no chance with 1% space.

The minimum recommended space allocation of 5 to 10 percent is enough to give you time to respond with a successful mitigation.

To change the VSS interval snapshots:

The default times for VSS to take a new snapshot, as set in the OS, are usually specific hours, twice a day. SentinelOne makes this action more secure. The Agent sets the interval by default to every four hours, starting at Agent install. Shadow copies are made at a different time for each endpoint, not by the clock. When you create Agent packages or change an Agent configuration, you can change the interval. If you change the interval to zero, shadow copies are disabled.

Note: The counter for the interval does not move when the endpoint is on sleep mode or hibernate. For example, if the endpoint takes a snapshot at midnight, then sleeps for one hour, and is then active for four hours, the next snapshot (with an interval of 4 hours) will be taken at 5:00 AM (and not at 4:00 AM).

1. In the sidebar, click Sentinels.
2. Double-click the Agent to change.

The DEVICE DETAILS window opens.

3. Click ACTIONS and select Show passphrase. Copy the passphrase to a side note.
4. On the endpoint, start cmd with Run as Administrator.
5. Go to the SentinelOne directory:

cd c:\program files\sentinelone\sentinel agent <version>\

6. Turn off the Agent self-protection. With the passphrase that you copied, run:

sentinelctl.exe unprotect -k "<passphrase>"

The unprotect command is necessary to change the configuration of the Agent. Complete this procedure quickly. Do not leave the Agent vulnerable for longer than necessary.

7. Run the command to change the interval.

IMPORTANT!  The command and the units changed from 1.8.4 and 2.1 and higher. Make sure you run the correct command.

1. • Agent version 1.8.4:

sentinelctl.exe configure -p agent.vssConfig.snapshotInterval -v  <milliseconds>

1. • Agent version 2.1+:

sentinelctl.exe configure -p agent.snapshotIntervalMinutes -v <minutes>

The output shows the interval. For example:

240 = every 4 hours from Agent 2.1 installation.

Note – If the output is 0, no shadow copies are saved. This is for specific environment limitations that require you temporarily turn off VSS snapshots for some Agents. If other programs use VSS and take snapshots, Rollback will work. It will depend on the frequency of the other programs and how quickly mitigation is run.

Best Practice:  if you must disable VSS and Rollback permanently, use the Disable steps.

8. Unload the Agent:

sentinelctl.exe unload -a

9. Load the Agent again:

sentinelctl.exe load -a

10. Turn on the Agent self-protection:

sentinelctl.exe protect

Note:  If the snapshot interval stays the same after the change, restart the endpoint.

To enable VSS for all endpoints:

Send a Windows policy through the Active Directory Group Policy Object (GPO) server.

1. On your Domain Controller server, click Start and enter: mmc
2. In the Windows Console window, click File > Add/Remove Snap-in.
3. Add the Group Policy Management snap-in.
4. In Domains > the domain to configure, right-click Default Domain Policy and select Edit.
5. In the Group Policy Manager Editor, click Computer Configuration > Preferences > Control Panel Settings.
6. Right-click Services and select New > Service.
7. In New Service Properties > Startup, click Manual.
8. In the Service name list, select VSS (Volume Shadow Copy).
9. In Log on as, select Local System account.
10. Click OK.

To configure all endpoints consistently for VSS:

1. Make sure the change does not impact other programs. Run: vssadmin list shadows

The output shows, with other data, the Type of each copy. ApplicationRollback is SentinelOne. Look at other types and make sure you understand their purpose. Run vssadmin list writers to learn more about other programs. Note: Not all programs that use VSS are listed as writers.

2. In the Domain Controller Group Policy Manager Editor, open Control Panel Settings.
3. Right-click Scheduled Tasks and select New > Scheduled Task (At least Windows 7).
4. In the window that opens, enter a name for the Task and select the Domain Administrator account to use.
5. In the Action list, click Create.
6. In the Trigger tab, click New.
7. In the window that opens, in the Begin the task list, click At log on.
8. Click OK.
9. In the Actions tab, click New.
10. In the window that opens, in the Action list, click Start a program.
11. In Program/Script, enter the command to configure the VSS service with the recommended maximum storage size of 10%:

cmd /c "vssadmin Resize ShadowStorage /For=c: /On=C: /MaxSize=10%"

12. Click OK.

The change is applied to endpoints after they reboot.

To restore shadow copies:

You can restore folders and files affected in the threat group with granular control, using third-party tools. This procedure uses the ShadowExplorer. We cannot be responsible for the results. We offer these steps as extra information. See the ShadowExplorer documentation.

1. Download ShadowExplorer.
2. Install and run it. See ShadowExplorer.com for instructions.
3. In the main window, select the drive and backup time of the restore point.
4. Select the folders and files to restore.
5. Right-click and select Export.
6. In the window that opens, create or select a folder.
7. Click OK.

To disable VSS protection completely:

These steps turn off VSS and Rollback completely. If you want to stop taking new snapshots temporarily, use the Interval Change steps.

1. Turn off the Agent self-protection. With the passphrase that you copied, run:

sentinelctl.exe unprotect -k "<passphrase>"

2. Turn off VSS protection:

sentinelctl config -p agent.vssConfig.vssProtection -v false

sentinelctl config -p agent.vssSnapshots -v false

3. Turn on the Agent self-protection:

sentinelctl.exe protect

4. Reboot the endpoint.

To delete snapshots:

Important:  This procedure uses vssadmin, which is a Microsoft tool. For help with vssadmin specific issues, please contact Microsoft.

1. Turn off the Agent self-protection. With the passphrase that you copied, run:

sentinelctl.exe unprotect -k "<passphrase>"

2. Disable deletion-protection for shadow copies. Run:

sentinelctl config -p vssConfig.vssProtection -v false

3. Open cmd or powershell as administrator and run the relevant command:
   • To delete all shadow copies: vssadmin delete shadows /all
   • To delete the oldest:  vssadmin delete shadows /For=C:/Oldest
   • To select shadow copies to delete, get a list of the shadow copy IDs and then delete by ID:

vssadmin list shadows

vssadmin delete shadows /shadow=<ShadowID>

1. • If you see this error:

Error: Snapshots were found, but they were outside of your allowed context.  Try removing them with the backup application which created them.

1. • 1. Log i as an administrator. Membership in the local Administrators group, or equivalent, is required to run DiskShadow.
     2. Start DiskShadow:  Diskshadow
     3. Run:  delete shadows all

4. Turn on the Agent self-protection